Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Local access and low privileges required to interact with the Thunderbolt interface; impact is kernel crash only, with no confidentiality or integrity effect.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionNVD
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Reject zero-length property entries in validator
tb_property_entry_valid() accepts entries with length == 0 for DIRECTORY, DATA, and TEXT types. A zero-length TEXT entry passes validation but causes an underflow in the null-termination logic:
property->value.text[property->length * 4 - 1] = '\0';
When property->length is 0 this writes to offset -1 relative to the allocation.
Reject zero-length entries early in the validator since they have no valid representation in the XDomain property protocol.
AnalysisAI
Thunderbolt XDomain property validator in the Linux kernel triggers a heap underflow when processing zero-length TEXT property entries, enabling a local low-privileged attacker to crash the kernel (denial of service). The root cause is in tb_property_entry_valid(), which permits length==0 for TEXT entries that subsequently compute an array index of -1 during null-termination (0 * 4 - 1), writing one byte before the allocated buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local low-privileged account on the target system (CVSS PR:L), meaning an attacker must have valid credentials and a shell or local code execution context - remote unauthenticated access alone is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is moderate-to-low despite the Availability:High impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local user on a Linux system with Thunderbolt hardware crafts a malformed XDomain property entry with a TEXT type and explicitly sets length to zero, then submits it through the Thunderbolt property interface. The validator passes the entry without rejection, and the subsequent null-termination logic writes a null byte one position before the allocated text buffer on the heap, corrupting adjacent heap metadata or kernel data structures and triggering a kernel panic, crashing the system. … |
| Remediation | The primary fix is upgrading to a patched Linux kernel version: 5.10.259 or later for the 5.10.x longterm branch, 5.15.210 or later for 5.15.x, 6.1.176 or later for 6.1.x, 6.6.143 or later for 6.6.x, 6.12.94 or later for 6.12.x, 6.18.36 or later for 6.18.x, 7.0.13 or later for 7.0.x, or 7.1 for mainline. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-191 – Integer Underflow
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39241
GHSA-pwh4-8crg-2xvf