Description
In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Clamp XDomain response data copy to allocation size

tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.

Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Published: 2026-06-25
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the Thunderbolt XDP properties request handler causes the driver to copy data from a peer without checking that the per‑packet length fits within the buffer previously allocated. The resulting memcpy operation can overwrite memory beyond the allocated region, corrupting kernel data structures or executing arbitrary code. This is a classic out‑of‑bounds write vulnerability.

Affected Systems

The flaw resides in the Linux kernel’s Thunderbolt subsystem. No specific kernel releases are listed in the CVE record, so affected systems are those running any Linux kernel version that contains the vulnerable tb_xdp_properties_request implementation before the patch commits cited in the advisory.

Risk and Exploitability

The EPSS score is missing and the vulnerability is not in the CISA KEV catalog, but the lack of bounds checking implies a high severity. The likely attack vector is a malicious Thunderbolt device that can send crafted packets to the host; this is inferred from the nature of the driver. If an attacker can supply such data, they could cause memory corruption that leads to privilege escalation or denial of service.

Generated by OpenCVE AI on June 25, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the kernel to the latest stable release that includes the Keystone commits shown in the advisory; this removes the unchecked copy length bug.
  • If a kernel upgrade cannot be performed immediately, disable the Thunderbolt XDP feature or related tb_xdp_properties_request functionality by configuring the kernel to exclude those drivers or setting appropriate module parameters to turn off the vulnerability component.
  • Continuously monitor Thunderbolt activity and kernel logs for abnormal packet lengths or errors, and apply any vendor‑issued security updates as soon as they become available.

Generated by OpenCVE AI on June 25, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-119
CWE-787

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data copy to allocation size tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.
Title thunderbolt: Clamp XDomain response data copy to allocation size
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:34.208Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53148

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T10:30:17Z

Weaknesses
  • CWE-119

    Improper Restriction of Operations within the Bounds of a Memory Buffer

  • CWE-787

    Out-of-bounds Write