Skip to main content

CVE-2026-39959

| EUVDEUVD-2026-20964 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-08 https://github.com/tmds/Tmds.DBus GHSA-xrw6-gwf8-vvr9
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 14:45 euvd
EUVD-2026-20964
Analysis Generated
Apr 09, 2026 - 14:45 vuln.today
CVE Published
Apr 08, 2026 - 19:52 nvd
HIGH 7.1

DescriptionGitHub Advisory

Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext.

Patches

The vulnerabilities are fixed in version 0.92.0. For Tmds.DBus.Protocol, the fixes are also backported to 0.21.3.

Workarounds

There are no known workarounds. Users should upgrade to a patched version.

AnalysisAI

Malicious D-Bus peers can execute three distinct attacks against applications using Tmds.DBus or Tmds.DBus.Protocol .NET libraries: signal spoofing via well-known name impersonation (integrity compromise), file descriptor exhaustion causing resource depletion or fd spillover, and application crashes through malformed message bodies triggering unhandled exceptions on SynchronizationContext. Attack requires local access with low-privileged D-Bus peer presence (PR:L). Vendor-released patches available in versions 0.92.0 (both libraries) and 0.21.3 (Protocol only). No public exploit identified at time of analysis.

Technical ContextAI

Root cause (CWE-400 Uncontrolled Resource Consumption) stems from insufficient input validation on D-Bus message structures. Library fails to authenticate signal origins against well-known name ownership, validate Unix file descriptor counts in incoming messages before processing, and sanitize message body formats prior to deserialization on managed synchronization contexts. Affects NuGet packages pkg:nuget/tmds.dbus and pkg:nuget/tmds.dbus.protocol across pre-patch versions.

RemediationAI

Vendor-released patches: upgrade Tmds.DBus to version 0.92.0 or later; upgrade Tmds.DBus.Protocol to version 0.21.3 (backport branch) or 0.92.0 (current release). No workarounds exist per vendor advisory - patching is mandatory. Update NuGet package references in project files and redeploy affected applications. Verify installed versions via dotnet list package command. Organizations unable to immediately patch should restrict D-Bus bus access to trusted processes only through system policy configurations. Full advisory and release notes: https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9

Share

CVE-2026-39959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy