Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53147— thunderbolt: Validate XDomain request packet size before type cast

CVSS 8.1 · High EPSS 0.28% · P20

Affected Version Matrix 14

VendorProductVersion RangeStatus
LinuxLinuxcdae7c07e3e3509eaabc18c1640a55dc5b99c179< a770e62923090d7572f1f5a8507ae551d354a057affected
cdae7c07e3e3509eaabc18c1640a55dc5b99c179< 0dd61ba03d05187726ecdf9c0e2175a81b9b24f6affected
cdae7c07e3e3509eaabc18c1640a55dc5b99c179< 79235c8add5da4bf27a12f5a5dbb579f300c059eaffected
cdae7c07e3e3509eaabc18c1640a55dc5b99c179< 46da5c3ea011e884028a91cf913db093920a915baffected
cdae7c07e3e3509eaabc18c1640a55dc5b99c179< 07cd2787cdf8942d24a1a3ef81aa89b526fb6381affected
cdae7c07e3e3509eaabc18c1640a55dc5b99c179< a504b9f2797b739e0304d537e8aa4ce883ecce39affected
4.15affected
< 4.15unaffected
… +6 more rows
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53147

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
thunderbolt: Validate XDomain request packet size before type cast
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会开源的操作系统Linux所使用的内核。 Linux kernel 4.15版本及之前版本存在安全漏洞,该漏洞源于thunderbolt驱动在tb_xdp_handle_request()函数中未验证XDomain请求数据包大小是否正确,可能导致越界读取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
LinuxLinux cdae7c07e3e3509eaabc18c1640a55dc5b99c179 ~ a770e62923090d7572f1f5a8507ae551d354a057 -
LinuxLinux 4.15 -

II. Public POCs for CVE-2026-53147

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53147

登录查看更多情报信息。

Patches & Fixes for CVE-2026-53147 (5)

Same Patch Batch · Linux · 2026-06-25 · 147 CVEs total

CVE-2026-532289.8 CRITICALipv6: sit: reload inner IPv6 header after GSO offloads
CVE-2026-532219.8 CRITICALip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup()
CVE-2026-531519.8 CRITICALrxrpc: Fix the ACK parser to extract the SACK table for parsing
CVE-2026-532169.8 CRITICALnet: mvpp2: limit XDP frame size to the RX buffer
CVE-2026-532159.8 CRITICALnet: mvpp2: refill RX buffers before XDP or skb use
CVE-2026-532469.8 CRITICALsctp: validate cached peer INIT chunk length in COOKIE_ECHO processing
CVE-2026-532479.8 CRITICALnet: ethernet: mtk_eth_soc: Fix use-after-free in metadata dst teardown
CVE-2026-531769.8 CRITICALIB/isert: Reject login PDUs shorter than ISER_HEADERS_LEN
CVE-2026-531759.8 CRITICALinet: frags: fix use-after-free caused by the fqdir_pre_exit() flush
CVE-2026-532609.8 CRITICALtcp: Add preempt_{disable,enable}_nested() in reqsk_queue_hash_req().
CVE-2026-531319.4 CRITICALnetfilter: require Ethernet MAC header before using eth_hdr()
CVE-2026-531869.1 CRITICALRDMA/srp: bound SRP_RSP sense copy by the received length
CVE-2026-532259.1 CRITICALsctp: fix uninit-value in __sctp_rcv_asconf_lookup()
CVE-2026-532249.1 CRITICALsctp: validate embedded INIT chunk and address list lengths in cookie
CVE-2026-531988.8 HIGHksmbd: fix use-after-free of a deferred file_lock on double SMB2_CANCEL
CVE-2026-531888.8 HIGHRDMA/core: Validate the passed in fops for ib_get_ucaps()
CVE-2026-532488.8 HIGHnet: airoha: Fix use-after-free in metadata dst teardown
CVE-2026-531708.8 HIGHaccel/ethosu: reject DMA commands with uninitialized length
CVE-2026-532328.8 HIGHnet: phy: clean the sfp upstream if phy probing fails
CVE-2026-532408.8 HIGHxfrm: iptfs: fix use-after-free on first_skb in __input_process_payload

Showing top 20 of 147 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53147

No comments yet


Leave a comment