Description
In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Clamp XDomain response data copy to allocation size

tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.

Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Published: 2026-06-25
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the Thunderbolt XDP properties request handler causes the driver to copy data from a peer without checking that the per‑packet length fits within the buffer previously allocated. The resulting memcpy operation can overwrite memory beyond the allocated region, corrupting kernel data structures or executing arbitrary code. This is a classic out‑of‑bounds write vulnerability.

Affected Systems

The flaw resides in the Linux kernel’s Thunderbolt subsystem. No specific kernel releases are listed in the CVE record, so affected systems are those running any Linux kernel version that contains the vulnerable tb_xdp_properties_request implementation before the patch commits cited in the advisory.

Risk and Exploitability

The EPSS score is < 1% and the vulnerability is not listed in the CISA KEV catalog, but the lack of bounds checking combined with a CVSS score of 7.0 indicates a high severity. The likely attack vector is a malicious Thunderbolt device that can send crafted packets to the host; this is inferred from the driver. If an attacker can supply such data, they could cause memory corruption that leads to privilege escalation or denial of service.

Generated by OpenCVE AI on June 26, 2026 at 04:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the kernel version that includes the patch commits referenced in the advisory; this removes the unchecked copy length bug.
  • If a kernel upgrade cannot be performed immediately, disable the Thunderbolt XDP feature or related tb_xdp_properties_request functionality by configuring the kernel to exclude those drivers or setting relevant module parameters to turn off the vulnerability component.
  • Continuously monitor Thunderbolt activity and kernel logs for abnormal packet lengths or errors, and apply any vendor‑issued security updates as soon as they become available.

Generated by OpenCVE AI on June 26, 2026 at 04:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 03:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-787

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data copy to allocation size tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.
Title thunderbolt: Clamp XDomain response data copy to allocation size
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-07-15T00:44:48.625Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53148

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53148 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T04:45:06Z

Weaknesses