CVE Catalog

CVE-2026-53148

HighCVSS 7.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

In the Linux kernel Thunderbolt driver, a vulnerability exists where the per-packet copy length derived from the response header is not checked against the allocated buffer size. A malicious peer can set a length field larger than data_length, causing memcpy to write past the kcalloc allocation.

Risk Assessment

An attacker can remotely cause kernel memory corruption, potentially leading to system crash, data leak, or privilege escalation.

Recommendation

Immediately update the Linux kernel to a version containing the fix that clamps the per-packet copy length so the cumulative offset never exceeds data_len.

Original NVD description (English source)

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data copy to allocation size tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS