Description
In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Reject zero-length property entries in validator

tb_property_entry_valid() accepts entries with length == 0 for
DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes
validation but causes an underflow in the null-termination logic:

property->value.text[property->length * 4 - 1] = '\0';

When property->length is 0 this writes to offset -1 relative to
the allocation.

Reject zero-length entries early in the validator since they have no
valid representation in the XDomain property protocol.
Published: 2026-06-25
Score: 7.0 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

tb_property_entry_valid() mistakenly accepts property entries of length zero for DIRECTORY, DATA, and TEXT types. The validator then writes a null terminator at the index property->value.text[property->length * 4 - 1], which evaluates to an offset of –1 when the length is zero. This results in an out‑of‑bounds write before the start of the allocated buffer, corrupting kernel memory. The official description explicitly states memory corruption; it does not claim further exploitation such as code execution or privilege escalation, though such downstream impacts could theoretically arise from the corruption.

Affected Systems

The flaw resides in the Linux kernel’s Thunderbolt driver. All active Linux kernel installations that load the thunderbolt kernel module are potentially affected, regardless of vendor or distribution, because the vendor/product identification is simply Linux:Linux and no specific version ranges are enumerated. Administrators should review if their deployments use the Thunderbolt driver and whether a patch release is available.

Risk and Exploitability

The CVSS score of 7.0 indicates a high severity of kernel memory corruption, but the EPSS score of less than 1% and the fact that the vulnerability is not listed in CISA’s KEV catalog suggest a low probability of active exploitation. The attack is likely to be local or result from devices connected via Thunderbolt, which usually requires physical or compromised firmware access. While the flaw can corrupt kernel memory, the CVE description does not provide evidence that an attacker could achieve higher privileges or execute arbitrary code. The potential impact remains limited to corruption unless additional vulnerabilities are chained.

Generated by OpenCVE AI on June 26, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Linux kernel update that rejects zero‑length Thunderbolt property entries.
  • If a kernel update is not yet available, disable the thunderbolt kernel module or block Thunderbolt devices at the firmware level.
  • Remove any untrusted Thunderbolt devices from the system and enable device authentication if supported.

Generated by OpenCVE AI on June 26, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4664-1 linux security update
Debian DLA Debian DLA DLA-4665-1 linux security update
Debian DLA Debian DLA DLA-4671-1 linux-6.1 security update
History

Fri, 26 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Fri, 26 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-191
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.0, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

threat_severity

Moderate


Thu, 25 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122

Thu, 25 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Reject zero-length property entries in validator tb_property_entry_valid() accepts entries with length == 0 for DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes validation but causes an underflow in the null-termination logic: property->value.text[property->length * 4 - 1] = '\0'; When property->length is 0 this writes to offset -1 relative to the allocation. Reject zero-length entries early in the validator since they have no valid representation in the XDomain property protocol.
Title thunderbolt: Reject zero-length property entries in validator
First Time appeared Linux
Linux linux Kernel
CPEs cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel
References

Subscriptions

Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Linux

Published:

Updated: 2026-06-25T08:38:35.531Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53150

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-25T00:00:00Z

Links: CVE-2026-53150 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-191

    Integer Underflow (Wrap or Wraparound)