CVE-2026-53148
Description
In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data copy to allocation size tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2026-53148 NameCVE-2026-53148 Descriptionthunderbolt: Clamp XDomain response data copy to allocation size SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus linuxβ¦
CVE-2026-53148
| Name | CVE-2026-53148 |
| Description | thunderbolt: Clamp XDomain response data copy to allocation size |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| linux (PTS) | bullseye | 5.10.223-1 | vulnerable |
| bullseye (security) | 5.10.257-1 | vulnerable | |
| bookworm | 6.1.170-3 | vulnerable | |
| bookworm (security) | 6.1.174-1 | vulnerable | |
| trixie | 6.12.86-1 | vulnerable | |
| trixie (security) | 6.12.94-1 | fixed | |
| forky | 7.0.12-2 | vulnerable | |
| sid | 7.0.13-1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| linux | source | trixie | 6.12.94-1 | |||
| linux | source | (unstable) | 7.0.13-1 |
Notes
https://git.kernel.org/linus/322e93448d908434ae5545660fcbe8f5a7a8e141 (7.1)
Apply commands
https://git.kernel.org/linus/322e93448d908434ae5545660fcbe8f5a7a8e141 (7.1)OS impact
Debian Mixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.12.94-1 |
| sid | Fixed | 7.0.13-1 |
| forky | Affected | β |
| bullseye | Affected | β |
| bookworm | Affected | β |
References
- https://git.kernel.org/stable/c/0b334279a82d79fb4723bd4f614305de1ab69caa
- https://git.kernel.org/stable/c/6021d39ccd979713b39b980286020d8f9a45efd1
- https://git.kernel.org/stable/c/89ae04365e01d5ae4aae83044a8bbd2a9aaf8d0d
- https://git.kernel.org/stable/c/5db10c8ad8c09f72c847dfeef3d876098257f505
- https://git.kernel.org/stable/c/05a43157676c243c248d1c6d9dcecbe6eba2f35d
- https://git.kernel.org/stable/c/fcbd0cdab92838854a5818be7ed8a097164ef6d5
- https://git.kernel.org/stable/c/906035d5c3784570191d259cbf9a0ac1617852b5
- https://git.kernel.org/stable/c/322e93448d908434ae5545660fcbe8f5a7a8e141
- https://security-tracker.debian.org/tracker/CVE-2026-53148
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.