Linux Kernel Thunderbolt XDomain Response Buffer Overwrite
CVE-2026-53148 Published on June 25, 2026
thunderbolt: Clamp XDomain response data copy to allocation size
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Clamp XDomain response data copy to allocation size
tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Vulnerability Analysis
CVE-2026-53148 is exploitable with local system access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2026-53148 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2026-53148
stack.watch emails you whenever new vulnerabilities are published in Linux Kernel or Red Hat Enterprise Linux (RHEL). Just hit a watch button to start following.
Affected Versions
Linux:- Version cdae7c07e3e3509eaabc18c1640a55dc5b99c179 and below 0b334279a82d79fb4723bd4f614305de1ab69caa is affected.
- Version cdae7c07e3e3509eaabc18c1640a55dc5b99c179 and below 6021d39ccd979713b39b980286020d8f9a45efd1 is affected.
- Version cdae7c07e3e3509eaabc18c1640a55dc5b99c179 and below 89ae04365e01d5ae4aae83044a8bbd2a9aaf8d0d is affected.
- Version cdae7c07e3e3509eaabc18c1640a55dc5b99c179 and below 5db10c8ad8c09f72c847dfeef3d876098257f505 is affected.
- Version cdae7c07e3e3509eaabc18c1640a55dc5b99c179 and below 05a43157676c243c248d1c6d9dcecbe6eba2f35d is affected.
- Version cdae7c07e3e3509eaabc18c1640a55dc5b99c179 and below fcbd0cdab92838854a5818be7ed8a097164ef6d5 is affected.
- Version cdae7c07e3e3509eaabc18c1640a55dc5b99c179 and below 906035d5c3784570191d259cbf9a0ac1617852b5 is affected.
- Version cdae7c07e3e3509eaabc18c1640a55dc5b99c179 and below 322e93448d908434ae5545660fcbe8f5a7a8e141 is affected.
- Version 4.15 is affected.
- Before 4.15 is unaffected.
- Version 5.10.259, <= 5.10.* is unaffected.
- Version 5.15.210, <= 5.15.* is unaffected.
- Version 6.1.176, <= 6.1.* is unaffected.
- Version 6.6.143, <= 6.6.* is unaffected.
- Version 6.12.94, <= 6.12.* is unaffected.
- Version 6.18.36, <= 6.18.* is unaffected.
- Version 7.0.13, <= 7.0.* is unaffected.
- Version 7.1, <= * is unaffected.