CVE-2026-53148
HighCVSS 7.0Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
In the Linux kernel Thunderbolt driver, a vulnerability exists where the per-packet copy length derived from the response header is not checked against the allocated buffer size. A malicious peer can set a length field larger than data_length, causing memcpy to write past the kcalloc allocation.
Risk Assessment
An attacker can remotely cause kernel memory corruption, potentially leading to system crash, data leak, or privilege escalation.
Recommendation
Immediately update the Linux kernel to a version containing the fix that clamps the per-packet copy length so the cumulative offset never exceeds data_len.
Original NVD description (English source)
In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data copy to allocation size tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.

