Skip to main content

Linux Kernel CVE-2026-53149

| EUVDEUVD-2026-39240 HIGH
Out-of-bounds Read (CWE-125)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-4463-xxf2-768j
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
7.1 HIGH

Out-of-bounds read triggered by device-supplied property data on a Thunderbolt-enabled host yields memory disclosure (C:H) and kernel crash (A:H), no integrity impact; kept AV:L per NVD though a peripheral AV:P model is plausible.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 20:01 vuln.today
CVSS changed
Jul 06, 2026 - 17:52 NVD
7.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
HIGH 7.1
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Bound root directory content to block size

__tb_property_parse_dir() does not check that content_offset + content_len fits within block_len for the root directory case. When rootdir->length equals or exceeds block_len - 2, the entry loop reads past the allocated property block.

Add a bounds check after computing content_offset and content_len to reject directories whose content extends past the block.

AnalysisAI

Out-of-bounds read in the Linux kernel Thunderbolt (thunderbolt) property parser lets a crafted property directory from a connected Thunderbolt/USB4 device cause the kernel to read past an allocated property block, potentially disclosing adjacent kernel memory or crashing the system. The flaw lives in __tb_property_parse_dir(), which fails to validate that content_offset + content_len stays within block_len for the root directory. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect malicious Thunderbolt/USB4 device
Delivery
Device advertises crafted property directory
Exploit
rootdir->length exceeds block bounds
Execution
Kernel parses via __tb_property_parse_dir
Persist
Loop reads past property block
Impact
Kernel memory disclosed or panic

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target run a Linux kernel with the Thunderbolt/USB4 subsystem enabled and that it parse a property directory in which the root directory's declared length (rootdir->length) equals or exceeds block_len - 2, so that content_offset + content_len extends past the allocated property block - this crafted property metadata IS the specific trigger condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are consistent and point to a genuine-but-not-urgent defect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a malicious or reprogrammed Thunderbolt/USB4 device crafts a property directory whose declared root-directory length meets or exceeds block_len - 2, then connects it to a target machine; when the kernel parses the advertised properties, __tb_property_parse_dir() reads past the allocated block, leaking adjacent kernel memory into parsed structures or panicking the kernel. No proof-of-concept was provided and the issue is not in CISA KEV, so this scenario is theoretical based on the code path; given AV:L/AC:L, exploitation is low-complexity once the malicious device can present property data to the host.
Remediation Vendor-released patch: upgrade to the fixed stable release for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or later) - which adds the bounds check rejecting directories whose content extends past the block; commits are published at https://git.kernel.org/stable/c/ (e.g., 0a32040a48db8cf35de48b85d6115df5623e4964 and the sibling stable hashes) and tracked at https://nvd.nist.gov/vuln/detail/CVE-2026-53149. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and catalog systems running affected Linux kernel versions with Thunderbolt/USB4 support. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53149 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy