{"id":"CVE-2026-53146","summary":"thunderbolt: Limit XDomain response copy to actual frame size","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Limit XDomain response copy to actual frame size\n\ntb_xdomain_copy() copies req-\u003eresponse_size bytes from the received\npacket buffer regardless of the actual frame size.  When a short\nresponse arrives, this reads past the valid frame data in the DMA\npool buffer into stale contents from previous transactions.\n\nUse the minimum of frame size and expected response size for the\ncopy length.","modified":"2026-07-08T08:09:45.923372690Z","published":"2026-06-25T08:38:32.877Z","related":["CGA-8fj2-cq95-6c9j"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53146.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/033dfa63bf6be2653441a1dccae4a8313a91bb9d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7720654b4842bcdfeb64bc002f6186041849e1e7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a15b6d3136accb2bf84b04d9a3ddd991f7fbf1cb"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b2c1e5d9f1598cc1a4736d5c6bd1218f90805ee4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b5daa920f44cb582272fc9bfaeb67408776cbaef"},{"type":"WEB","url":"https://git.kernel.org/stable/c/c55da494dfb445fb28df3a9d293c2be6a299cd01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fc261397295b8ad0654cec747b0ec25ea0011995"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53146.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53146"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cdae7c07e3e3509eaabc18c1640a55dc5b99c179"},{"fixed":"c55da494dfb445fb28df3a9d293c2be6a299cd01"},{"fixed":"7720654b4842bcdfeb64bc002f6186041849e1e7"},{"fixed":"033dfa63bf6be2653441a1dccae4a8313a91bb9d"},{"fixed":"fc261397295b8ad0654cec747b0ec25ea0011995"},{"fixed":"a15b6d3136accb2bf84b04d9a3ddd991f7fbf1cb"},{"fixed":"b5daa920f44cb582272fc9bfaeb67408776cbaef"},{"fixed":"b2c1e5d9f1598cc1a4736d5c6bd1218f90805ee4"},{"fixed":"4db2bd2ed4785dbadaeeab9f4e346b21ac5fb8eb"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53146.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"5.10.259"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.176"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.143"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.94"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.36"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53146.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}]}