Skip to main content

Linux Kernel EUVDEUVD-2026-39237

| CVE-2026-53146 HIGH
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-9cph-qj5m-89rx
7.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
7.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
6.5 MEDIUM

Adjacent Thunderbolt-bus access with no auth (AV:A/PR:N); a read-only over-read leaks kernel memory, so C:H but I:N/A:N rather than the feed's I:L.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:15 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
7.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 7.1
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Limit XDomain response copy to actual frame size

tb_xdomain_copy() copies req->response_size bytes from the received packet buffer regardless of the actual frame size. When a short response arrives, this reads past the valid frame data in the DMA pool buffer into stale contents from previous transactions.

Use the minimum of frame size and expected response size for the copy length.

AnalysisAI

Information disclosure in the Linux kernel's Thunderbolt XDomain driver allows a malicious peer device to read stale kernel DMA-pool memory from prior transactions. The tb_xdomain_copy() function copies the full expected response_size from a received packet buffer without bounding it to the actual frame size, so a deliberately short response causes the kernel to leak adjacent buffer contents. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect malicious Thunderbolt device to port
Delivery
Initiate XDomain request/response exchange
Exploit
Reply with truncated short frame
Execution
Trigger over-read in tb_xdomain_copy()
Impact
Receive stale kernel DMA-pool memory

Vulnerability AssessmentAI

Exploitation Exploitation requires an attacker-controlled Thunderbolt/USB4 device to be physically connected to the target and the Thunderbolt XDomain (host-to-host) protocol to be active, so the malicious peer can send a crafted short response frame that the vulnerable tb_xdomain_copy() over-reads. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are consistent and point to a moderate, physically-gated risk rather than an urgent network priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects a malicious or emulated Thunderbolt device to a target's Thunderbolt/USB4 port and initiates XDomain communication, deliberately replying to a request with a truncated (short) response frame. The kernel then copies beyond the delivered data, returning stale DMA-pool bytes from prior transactions to the attacker, potentially leaking fragments of kernel memory. …
Remediation Vendor-released patch: upgrade to the fixed stable kernel for your branch - 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, or 7.1 (or your distribution's backported equivalent). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Linux systems with Thunderbolt XDomain driver active. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39237 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy