CVE Catalog

CVE-2026-53146

HighCVSS 7.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

In the Linux kernel Thunderbolt subsystem, a vulnerability was found where tb_xdomain_copy() copies data from the XDomain response buffer without checking the actual frame size. A short response can cause reading beyond the valid DMA buffer area, exposing stale data from previous transactions.

Risk Assessment

The organization risks leakage of sensitive data from DMA memory, which may contain information from prior Thunderbolt operations, potentially allowing an attacker to access confidential data.

Recommendation

Immediately update the Linux kernel to a version containing the fix that limits the copy length to the minimum of the frame size and the expected response size.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Limit XDomain response copy to actual frame size tb_xdomain_copy() copies req->response_size bytes from the received packet buffer regardless of the actual frame size. When a short response arrives, this reads past the valid frame data in the DMA pool buffer into stale contents from previous transactions. Use the minimum of frame size and expected response size for the copy length.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS