suse · CVE-2026-53147

Quick triage

Priority: medium Published: 2026-06-25 23:14:48 UTC Updated: 2026-06-30 23:15:30 UTC

View at Official suse advisory, NVD, CVE.org · CVE detail

Freshness: upstream tracker timestamp is available; use API updated time as primary recency signal.

Tracker summary

CVE-2026-53147 severity moderate: SUSE including 17 source package names (cluster-md-kmp-default, dlm-kmp-default, …), 60 product×package rows across 16 product lines (SUSE Linux Enterprise High Availability Extension 15 SP7, SUSE Linux Enterprise Live Patching 15 SP7, … (16 product lines)): Known Not Affected 60.

Description:

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.

cvelogic Threat Intelligence