Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Out-of-bounds read triggered by device-supplied property data on a Thunderbolt-enabled host yields memory disclosure (C:H) and kernel crash (A:H), no integrity impact; kept AV:L per NVD though a peripheral AV:P model is plausible.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Bound root directory content to block size
__tb_property_parse_dir() does not check that content_offset + content_len fits within block_len for the root directory case. When rootdir->length equals or exceeds block_len - 2, the entry loop reads past the allocated property block.
Add a bounds check after computing content_offset and content_len to reject directories whose content extends past the block.
AnalysisAI
Out-of-bounds read in the Linux kernel Thunderbolt (thunderbolt) property parser lets a crafted property directory from a connected Thunderbolt/USB4 device cause the kernel to read past an allocated property block, potentially disclosing adjacent kernel memory or crashing the system. The flaw lives in __tb_property_parse_dir(), which fails to validate that content_offset + content_len stays within block_len for the root directory. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target run a Linux kernel with the Thunderbolt/USB4 subsystem enabled and that it parse a property directory in which the root directory's declared length (rootdir->length) equals or exceeds block_len - 2, so that content_offset + content_len extends past the allocated property block - this crafted property metadata IS the specific trigger condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are consistent and point to a genuine-but-not-urgent defect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a malicious or reprogrammed Thunderbolt/USB4 device crafts a property directory whose declared root-directory length meets or exceeds block_len - 2, then connects it to a target machine; when the kernel parses the advertised properties, __tb_property_parse_dir() reads past the allocated block, leaking adjacent kernel memory into parsed structures or panicking the kernel. No proof-of-concept was provided and the issue is not in CISA KEV, so this scenario is theoretical based on the code path; given AV:L/AC:L, exploitation is low-complexity once the malicious device can present property data to the host. |
| Remediation | Vendor-released patch: upgrade to the fixed stable release for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) - which adds the bounds check rejecting directories whose content extends past the block; commits are published at https://git.kernel.org/stable/c/ (e.g., 0a32040a48db8cf35de48b85d6115df5623e4964 and the sibling stable hashes) and tracked at https://nvd.nist.gov/vuln/detail/CVE-2026-53149. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and catalog systems running affected Linux kernel versions with Thunderbolt/USB4 support. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39240
GHSA-4463-xxf2-768j