Skip to main content

Linux Kernel EUVDEUVD-2026-39241

| CVE-2026-53150 MEDIUM
Integer Underflow (CWE-191)
2026-06-25 416baaa9-dc9f-4396-8d5f-8c081fb06d67 GHSA-pwh4-8crg-2xvf
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
5.5 MEDIUM

Local access and low privileges required to interact with the Thunderbolt interface; impact is kernel crash only, with no confidentiality or integrity effect.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jul 06, 2026 - 17:53 vuln.today
CVSS changed
Jul 06, 2026 - 17:52 NVD
5.5 (MEDIUM)
Patch available
Jun 25, 2026 - 10:32 EUVD
CVE Published
Jun 25, 2026 - 09:16 nvd
MEDIUM 5.5
CVE Published
Jun 25, 2026 - 09:16 cve.org
UNKNOWN (no severity yet)

DescriptionNVD

In the Linux kernel, the following vulnerability has been resolved:

thunderbolt: Reject zero-length property entries in validator

tb_property_entry_valid() accepts entries with length == 0 for DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes validation but causes an underflow in the null-termination logic:

property->value.text[property->length * 4 - 1] = '\0';

When property->length is 0 this writes to offset -1 relative to the allocation.

Reject zero-length entries early in the validator since they have no valid representation in the XDomain property protocol.

AnalysisAI

Thunderbolt XDomain property validator in the Linux kernel triggers a heap underflow when processing zero-length TEXT property entries, enabling a local low-privileged attacker to crash the kernel (denial of service). The root cause is in tb_property_entry_valid(), which permits length==0 for TEXT entries that subsequently compute an array index of -1 during null-termination (0 * 4 - 1), writing one byte before the allocated buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged local shell
Delivery
Craft zero-length TEXT XDomain property entry
Exploit
Submit entry to tb_property_entry_valid() validator
Execution
Validator passes zero-length check incorrectly
Persist
Null-termination computes index -1
Impact
Out-of-bounds heap write triggers kernel panic

Vulnerability AssessmentAI

Exploitation Exploitation requires a local low-privileged account on the target system (CVSS PR:L), meaning an attacker must have valid credentials and a shell or local code execution context - remote unauthenticated access alone is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate-to-low despite the Availability:High impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local user on a Linux system with Thunderbolt hardware crafts a malformed XDomain property entry with a TEXT type and explicitly sets length to zero, then submits it through the Thunderbolt property interface. The validator passes the entry without rejection, and the subsequent null-termination logic writes a null byte one position before the allocated text buffer on the heap, corrupting adjacent heap metadata or kernel data structures and triggering a kernel panic, crashing the system. …
Remediation The primary fix is upgrading to a patched Linux kernel version: 5.10.259 or later for the 5.10.x longterm branch, 5.15.210 or later for 5.15.x, 6.1.176 or later for 6.1.x, 6.6.143 or later for 6.6.x, 6.12.94 or later for 6.12.x, 6.18.36 or later for 6.18.x, 7.0.13 or later for 7.0.x, or 7.1 for mainline. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy