Description
In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Validate XDomain request packet size before type cast

tb_xdp_handle_request() casts the received packet buffer to
protocol-specific structs without verifying that the allocation
is large enough for the target type. A peer can send a minimal
XDomain packet that passes the generic header length check but is
shorter than the struct accessed after the cast, causing out-of-
bounds reads from the kmemdup allocation.

Plumb the packet length through xdomain_request_work and validate
it against the expected struct size before each cast.
Published: 2026-06-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The bug occurs in the Thunderbolt XDomain packet handling function tb_xdp_handle_request(). The function casts an incoming packet buffer to protocol‑specific structs without verifying that the buffer is large enough for the target type. A malicious peer can send a minimal XDomain packet that satisfies the generic header length check yet is shorter than the struct accessed after the cast, causing an out‑of‑bounds read from the kmemdup allocation. The read can expose kernel memory contents, potentially leaking sensitive data. Based on the description, it is inferred that this out‑of‑bounds read could lead to information disclosure.

Affected Systems

The vulnerability affects the Linux kernel Thunderbolt XDomain subsystem. All systems running any Linux kernel version that has not incorporated the packet size validation patch are affected. The CNA data lists Linux:Linux as the vendor, and no particular kernel versions are listed, so any kernel with the unpatched Thunderbolt XDomain handler could be affected.

Risk and Exploitability

The CVSS score is 8.1, indicating a high severity vulnerability. The EPSS score of <1% suggests a low likelihood of exploitation at present, and the issue is not listed in CISA's KEV catalog. The likely attack vector involves an attacker sending crafted Thunderbolt XDomain packets to a target device that has the vulnerable Thunderbolt driver loaded. Based on the description, it is inferred that the attacker must be able to transmit packets over the Thunderbolt interface, which may require physical proximity or remote access in shared Thunderbolt environments. If Thunderbolt traffic is limited to trusted devices, exploitation risk is further mitigated.

Generated by OpenCVE AI on June 28, 2026 at 14:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a Linux kernel update that incorporates the packet size validation patch for the Thunderbolt XDomain handler.
  • If an update is not immediately available, disable the Thunderbolt XDomain subsystem or unload the thunderbolt driver to block vulnerable packet processing.
  • Monitor kernel logs for XDomain packet handling errors and, if possible, filter or block Thunderbolt traffic from untrusted devices as an interim measure.

Generated by OpenCVE AI on June 28, 2026 at 14:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Sun, 28 Jun 2026 08:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}


Fri, 26 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.
Title thunderbolt: Validate XDomain request packet size before type cast
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-28T06:39:32.188Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53147

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53147 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T14:30:07Z

Weaknesses