Skip to main content

Linux Kernel EUVDEUVD-2026-39238

| CVE-2026-53147 HIGH
Out-of-bounds Read (CWE-125)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-vrfr-cw9w-gwrx
8.1
CVSS 3.1 · Vendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Share

Severity by source

Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67) PRIMARY
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
8.1 HIGH

Adjacent Thunderbolt peer triggers OOB read with no auth or interaction (AV:A/AC:L/PR:N/UI:N); memory leak gives C:H and kernel crash gives A:H, with no integrity impact (I:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (416baaa9-dc9f-4396-8d5f-8c081fb06d67).

CVSS VectorVendor: 416baaa9-dc9f-4396-8d5f-8c081fb06d67

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 28, 2026 - 09:15 vuln.today
CVSS changed
Jun 28, 2026 - 08:22 NVD
8.1 (HIGH)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 cve.org
HIGH 8.1
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Validate XDomain request packet size before type cast

tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation.

Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.

AnalysisAI

Out-of-bounds memory read in the Linux kernel's Thunderbolt (thunderbolt) XDomain driver allows an adjacent peer connected over a Thunderbolt link to leak kernel heap memory or crash the host. The flaw lives in tb_xdp_handle_request(), which casts a received XDomain packet to protocol-specific structs without confirming the kmemdup allocation is large enough, so a deliberately undersized packet that still passes the generic header-length check triggers reads past the buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect malicious Thunderbolt peer to port
Delivery
Establish XDomain session with host
Exploit
Send undersized crafted XDomain request
Execution
Pass header check, fail struct-size validation
Persist
Kernel reads out-of-bounds heap memory
Impact
Leak kernel data or crash host

Vulnerability AssessmentAI

Exploitation Exploitation requires an adjacent Thunderbolt XDomain peer connection: the attacker must be able to connect a malicious Thunderbolt/USB4 device or host to the target's Thunderbolt port and have the target's thunderbolt driver process XDomain control requests. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mostly consistent and point to a genuine but narrow-surface memory-safety bug rather than a mass-exploitation threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects a malicious Thunderbolt device or host to a victim's exposed Thunderbolt port and sends a crafted, undersized XDomain request that satisfies the generic header-length check but is shorter than the struct the kernel casts it to. When tb_xdp_handle_request() dereferences fields past the kmemdup allocation, the kernel reads adjacent heap memory, potentially leaking sensitive data back to the peer or crashing the system (denial of service). …
Remediation Vendor-released patch: update to a fixed Linux stable kernel - 6.1.176, 6.6.143, 6.12.94, 6.18.36, or 7.0.13 (or later in each branch), or mainline 7.1, per the kernel.org stable commits. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and catalog Linux systems with Thunderbolt interfaces, prioritizing mobile devices and engineering workstations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39238 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy