Description
In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Reject zero-length property entries in validator

tb_property_entry_valid() accepts entries with length == 0 for
DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
validation but causes an underflow in the null-termination logic:

property->value.text[property->length * 4 - 1] = '\0';

When property->length is 0 this writes to offset -1 relative to
the allocation.

Reject zero-length entries early in the validator since they have no
valid representation in the XDomain property protocol.
Published: 2026-06-25
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Linux kernel Thunderbolt subsystem accepts property entries that have a zero length for DIRECTORY, DATA, and TEXT types. When a TEXT entry with length zero is processed, the validator writes a null terminator at the offset property->value.text[property->length * 4 - 1], which evaluates to -1 when length is zero. This results in an out‑of‑bounds write before the beginning of the allocated buffer, corrupting adjacent kernel memory. If an attacker can supply a malicious Thunderbolt property entry, this memory corruption can be leveraged to achieve privilege escalation or arbitrary code execution, making the flaw a serious kernel vulnerability.

Affected Systems

The affected product is the Linux kernel itself, as indicated by the vendor and product information and the CPE string. No particular kernel version is listed, so any current or older Linux kernel releases that include the Thunderbolt driver are potentially impacted until the patch is applied.

Risk and Exploitability

There is no CVSS or EPSS score listed, and the vulnerability is not listed in the CISA KEV catalog; the nature of the flaw implies a high severity. The attack vector is likely local, requiring the attacker to supply a crafted Thunderbolt device or property entry. In environments where Thunderbolt devices are active, an attacker with physical access could trigger the underflow and exploit the resulting memory corruption.

Generated by OpenCVE AI on June 25, 2026 at 12:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that rejects zero‑length Thunderbolt property entries.
  • If a kernel update is not yet available, disable the thunderbolt kernel module or block Thunderbolt devices at the firmware level.
  • Remove any untrusted Thunderbolt devices from the system and enable device authentication if supported.

Generated by OpenCVE AI on June 25, 2026 at 12:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Reject zero-length property entries in validator tb_property_entry_valid() accepts entries with length == 0 for DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes validation but causes an underflow in the null-termination logic: property->value.text[property->length * 4 - 1] = '\0'; When property->length is 0 this writes to offset -1 relative to the allocation. Reject zero-length entries early in the validator since they have no valid representation in the XDomain property protocol.
Title thunderbolt: Reject zero-length property entries in validator
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:35.531Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53150

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T14:00:04Z

Weaknesses
  • CWE-122

    Heap-based Buffer Overflow