Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Adjacent Thunderbolt-bus access with no auth (AV:A/PR:N); a read-only over-read leaks kernel memory, so C:H but I:N/A:N rather than the feed's I:L.
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Limit XDomain response copy to actual frame size
tb_xdomain_copy() copies req->response_size bytes from the received packet buffer regardless of the actual frame size. When a short response arrives, this reads past the valid frame data in the DMA pool buffer into stale contents from previous transactions.
Use the minimum of frame size and expected response size for the copy length.
AnalysisAI
Information disclosure in the Linux kernel's Thunderbolt XDomain driver allows a malicious peer device to read stale kernel DMA-pool memory from prior transactions. The tb_xdomain_copy() function copies the full expected response_size from a received packet buffer without bounding it to the actual frame size, so a deliberately short response causes the kernel to leak adjacent buffer contents. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an attacker-controlled Thunderbolt/USB4 device to be physically connected to the target and the Thunderbolt XDomain (host-to-host) protocol to be active, so the malicious peer can send a crafted short response frame that the vulnerable tb_xdomain_copy() over-reads. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are consistent and point to a moderate, physically-gated risk rather than an urgent network priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connects a malicious or emulated Thunderbolt device to a target's Thunderbolt/USB4 port and initiates XDomain communication, deliberately replying to a request with a truncated (short) response frame. The kernel then copies beyond the delivered data, returning stale DMA-pool bytes from prior transactions to the attacker, potentially leaking fragments of kernel memory. … |
| Remediation | Vendor-released patch: upgrade to the fixed stable kernel for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Linux systems with Thunderbolt XDomain driver active. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39237
GHSA-9cph-qj5m-89rx