CVE-2026-53148: thunderbolt: Clamp XDomain response data copy to allocation size
In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Clamp XDomain response data copy to allocation size
tb_xdp_properties_request() derives the per-packet copy length from
the response header without checking that it fits in the previously
allocated data buffer. A malicious peer can set its length field
larger than the declared data_length, causing memcpy to write past
the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset
never exceeds data_len.
Security readout for executives and security teams
Plain-English summary
CVE-2026-53148 is a Linux kernel Thunderbolt flaw. A malicious connected peer can make the kernel copy more response data than the allocated buffer can hold. That is a memory corruption bug with potential confidentiality, integrity, and availability impact, but the source rates exploitation as local and high-complexity.
Executive priority
Treat as a high-priority kernel update for Thunderbolt-capable Linux fleets, especially mobile and physically accessible systems. It is not currently evidenced as exploited, but memory corruption in kernel space carries serious business impact if reachable.
Technical view
The flaw is in tb_xdp_properties_request(). It trusts a response header length when copying XDomain response data and can write past a kcalloc allocation. The fix clamps each per-packet copy so the cumulative offset cannot exceed data_len. The issue is classified as CWE-787 with CVSS 3.1 score 7.0.
Likely exposure
Exposure is most likely on Linux systems running affected kernels with Thunderbolt/XDomain functionality reachable by a malicious peer. The bundle lists affected Linux kernel versions including 4.15, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and 7.1.
Exploitation context
The provided data does not show active exploitation, and KEV is false. The attack requires local context, low privileges, no user interaction, and high complexity. Practical concern is higher for devices where untrusted Thunderbolt or USB4 peers can be connected.
Researcher notes
The key condition is a response length exceeding the allocated data buffer in tb_xdp_properties_request(). Analysis should focus on affected kernel lineage, XDomain reachability, and whether distribution kernels have backported the clamp. Do not assume all Linux hosts are exposed without Thunderbolt/XDomain context.
Mitigation direction
Apply vendor Linux kernel updates containing the Thunderbolt XDomain bounds-check fix.
Track Linux distribution advisories, including Red Hat guidance, for packaged fixed kernels.
Restrict untrusted physical Thunderbolt or USB4 access until affected systems are updated.
Prioritize laptops, workstations, and servers with exposed Thunderbolt-capable ports.
Validation and detection
Inventory Linux kernel versions across Thunderbolt-capable assets.
Compare running kernels with vendor advisories and the affected version list.
Confirm fixed packages include the referenced stable kernel commits or equivalent backports.
Review exposure where users or visitors can attach Thunderbolt or USB4 devices.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-787: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
1ADP providers
12Source links
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-787 · source CWE mapping
Out-of-bounds Write
Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.