EUVD-2026-20964
GHSA-xrw6-gwf8-vvr9
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4Tags
Description
Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. ### Patches The vulnerabilities are fixed in version 0.92.0. For Tmds.DBus.Protocol, the fixes are also backported to 0.21.3. ### Workarounds There are no known workarounds. Users should upgrade to a patched version.
Analysis
Malicious D-Bus peers can execute three distinct attacks against applications using Tmds.DBus or Tmds.DBus.Protocol .NET libraries: signal spoofing via well-known name impersonation (integrity compromise), file descriptor exhaustion causing resource depletion or fd spillover, and application crashes through malformed message bodies triggering unhandled exceptions on SynchronizationContext. Attack requires local access with low-privileged D-Bus peer presence (PR:L). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications using Tmds.DBus or Tmds.DBus.Protocol in production and development environments. Within 7 days: Upgrade Tmds.DBus to version 0.92.0 and Tmds.DBus.Protocol to version 0.92.0 (or 0.21.3 minimum); validate in staging. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today