In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Clamp XDomain response data copy to allocation size
tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
| Score | Percentile |
|---|---|
| 0.14% | 3.73% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.0 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-ggvw-pp2v-j3gm ↗ |
| CVE | CVE-2026-53148 ↗ |
| CWE id | Name |
|---|---|
| CWE-787 | Out-of-bounds Write |