Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Adjacent Thunderbolt peer triggers OOB read with no auth or interaction (AV:A/AC:L/PR:N/UI:N); memory leak gives C:H and kernel crash gives A:H, with no integrity impact (I:N).
Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).
CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Validate XDomain request packet size before type cast
tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation.
Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.
AnalysisAI
Out-of-bounds memory read in the Linux kernel's Thunderbolt (thunderbolt) XDomain driver allows an adjacent peer connected over a Thunderbolt link to leak kernel heap memory or crash the host. The flaw lives in tb_xdp_handle_request(), which casts a received XDomain packet to protocol-specific structs without confirming the kmemdup allocation is large enough, so a deliberately undersized packet that still passes the generic header-length check triggers reads past the buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an adjacent Thunderbolt XDomain peer connection: the attacker must be able to connect a malicious Thunderbolt/USB4 device or host to the target's Thunderbolt port and have the target's thunderbolt driver process XDomain control requests. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mostly consistent and point to a genuine but narrow-surface memory-safety bug rather than a mass-exploitation threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker connects a malicious Thunderbolt device or host to a victim's exposed Thunderbolt port and sends a crafted, undersized XDomain request that satisfies the generic header-length check but is shorter than the struct the kernel casts it to. When tb_xdp_handle_request() dereferences fields past the kmemdup allocation, the kernel reads adjacent heap memory, potentially leaking sensitive data back to the peer or crashing the system (denial of service). … |
| Remediation | Vendor-released patch: update to a fixed Linux stable kernel - 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 (or later in each branch), or mainline 7.1, per the kernel.org stable commits. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and catalog Linux systems with Thunderbolt interfaces, prioritizing mobile devices and engineering workstations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39238
GHSA-vrfr-cw9w-gwrx