CVE-2026-53147 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0018.

Key SSVC decision points have not yet been added.

Vendors	Products
Linux	Linux Kernel

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Linux	Linux Kernel

References

Link	Providers
https://git.kernel.org/stable/c/07cd2787cdf8942d24a1a3ef81aa89b526fb6381
https://git.kernel.org/stable/c/0dd61ba03d05187726ecdf9c0e2175a81b9b24f6
https://git.kernel.org/stable/c/46da5c3ea011e884028a91cf913db093920a915b
https://git.kernel.org/stable/c/79235c8add5da4bf27a12f5a5dbb579f300c059e
https://git.kernel.org/stable/c/a504b9f2797b739e0304d537e8aa4ce883ecce39
https://git.kernel.org/stable/c/a770e62923090d7572f1f5a8507ae551d354a057

History

Thu, 25 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-119

Thu, 25 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.
Title		thunderbolt: Validate XDomain request packet size before type cast
First Time appeared		Linux Linux linux Kernel
CPEs		cpe:2.3:o:linux:linux_kernel::::::::
Vendors & Products		Linux Linux linux Kernel
References		https://git.kernel.org/stable/c/07cd2787cdf8942d24a1a3ef81aa89b526fb6381 https://git.kernel.org/stable/c/0dd61ba03d05187726ecdf9c0e2175a81b9b24f6 https://git.kernel.org/stable/c/46da5c3ea011e884028a91cf913db093920a915b https://git.kernel.org/stable/c/79235c8add5da4bf27a12f5a5dbb579f300c059e https://git.kernel.org/stable/c/a504b9f2797b739e0304d537e8aa4ce883ecce39 https://git.kernel.org/stable/c/a770e62923090d7572f1f5a8507ae551d354a057

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2026-06-25T08:38:33.547Z

Updated: 2026-06-25T08:38:33.547Z

Reserved: 2026-06-09T07:44:35.387Z

Link: CVE-2026-53147

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T14:30:05Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object