{"id":"CVE-2026-53148","summary":"thunderbolt: Clamp XDomain response data copy to allocation size","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nthunderbolt: Clamp XDomain response data copy to allocation size\n\ntb_xdp_properties_request() derives the per-packet copy length from\nthe response header without checking that it fits in the previously\nallocated data buffer.  A malicious peer can set its length field\nlarger than the declared data_length, causing memcpy to write past\nthe kcalloc allocation.\n\nClamp the per-packet copy length so that the cumulative offset\nnever exceeds data_len.","modified":"2026-07-08T08:09:47.448572788Z","published":"2026-06-25T08:38:34.208Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53148.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/05a43157676c243c248d1c6d9dcecbe6eba2f35d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0b334279a82d79fb4723bd4f614305de1ab69caa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/322e93448d908434ae5545660fcbe8f5a7a8e141"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5db10c8ad8c09f72c847dfeef3d876098257f505"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6021d39ccd979713b39b980286020d8f9a45efd1"},{"type":"WEB","url":"https://git.kernel.org/stable/c/89ae04365e01d5ae4aae83044a8bbd2a9aaf8d0d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/906035d5c3784570191d259cbf9a0ac1617852b5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fcbd0cdab92838854a5818be7ed8a097164ef6d5"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-53148.json"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-53148"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53148.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-53148"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2492756"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"cdae7c07e3e3509eaabc18c1640a55dc5b99c179"},{"fixed":"0b334279a82d79fb4723bd4f614305de1ab69caa"},{"fixed":"6021d39ccd979713b39b980286020d8f9a45efd1"},{"fixed":"89ae04365e01d5ae4aae83044a8bbd2a9aaf8d0d"},{"fixed":"5db10c8ad8c09f72c847dfeef3d876098257f505"},{"fixed":"05a43157676c243c248d1c6d9dcecbe6eba2f35d"},{"fixed":"fcbd0cdab92838854a5818be7ed8a097164ef6d5"},{"fixed":"906035d5c3784570191d259cbf9a0ac1617852b5"},{"fixed":"322e93448d908434ae5545660fcbe8f5a7a8e141"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53148.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.15.0"},{"fixed":"5.10.259"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.210"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"6.1.176"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.2.0"},{"fixed":"6.6.143"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.7.0"},{"fixed":"6.12.94"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.13.0"},{"fixed":"6.18.36"}]},{"type":"ECOSYSTEM","events":[{"introduced":"6.19.0"},{"fixed":"7.0.13"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53148.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}