LiveActive security incident?Get immediate response
CVE Record

CVE-2026-53148: thunderbolt: Clamp XDomain response data copy to allocation size

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Clamp XDomain response data copy to allocation size tb_xdp_properties_request() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared data_length, causing memcpy to write past the kcalloc allocation. Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.

HighCVSS 7Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

CVE-2026-53148 is a Linux kernel Thunderbolt flaw. A malicious connected peer can make the kernel copy more response data than the allocated buffer can hold. That is a memory corruption bug with potential confidentiality, integrity, and availability impact, but the source rates exploitation as local and high-complexity.

Executive priority

Treat as a high-priority kernel update for Thunderbolt-capable Linux fleets, especially mobile and physically accessible systems. It is not currently evidenced as exploited, but memory corruption in kernel space carries serious business impact if reachable.

Technical view

The flaw is in tb_xdp_properties_request(). It trusts a response header length when copying XDomain response data and can write past a kcalloc allocation. The fix clamps each per-packet copy so the cumulative offset cannot exceed data_len. The issue is classified as CWE-787 with CVSS 3.1 score 7.0.

Likely exposure

Exposure is most likely on Linux systems running affected kernels with Thunderbolt/XDomain functionality reachable by a malicious peer. The bundle lists affected Linux kernel versions including 4.15, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, and 7.1.

Exploitation context

The provided data does not show active exploitation, and KEV is false. The attack requires local context, low privileges, no user interaction, and high complexity. Practical concern is higher for devices where untrusted Thunderbolt or USB4 peers can be connected.

Researcher notes

The key condition is a response length exceeding the allocated data buffer in tb_xdp_properties_request(). Analysis should focus on affected kernel lineage, XDomain reachability, and whether distribution kernels have backported the clamp. Do not assume all Linux hosts are exposed without Thunderbolt/XDomain context.

Mitigation direction

  • Apply vendor Linux kernel updates containing the Thunderbolt XDomain bounds-check fix.
  • Track Linux distribution advisories, including Red Hat guidance, for packaged fixed kernels.
  • Restrict untrusted physical Thunderbolt or USB4 access until affected systems are updated.
  • Prioritize laptops, workstations, and servers with exposed Thunderbolt-capable ports.

Validation and detection

  • Inventory Linux kernel versions across Thunderbolt-capable assets.
  • Compare running kernels with vendor advisories and the affected version list.
  • Confirm fixed packages include the referenced stable kernel commits or equivalent backports.
  • Review exposure where users or visitors can attach Thunderbolt or USB4 devices.
Prepared
Confidence
medium
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-787: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-53148 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
High
CVSS
7 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
12Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
7CVSS 3.1HighCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H15.9redhat-SADP

Vulnerability scoring details

Base CVSS 3.1 score

7High
CVSS 3.1 vector shape for CVE-2026-53148Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. ADP timelineredhat-SADP

    Reported to Red Hat.

  3. ADP timelineredhat-SADP

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

redhat-SADPkernel: thunderbolt: Clamp XDomain response data copy to allocation size
other:Red Hat severity ratingcvssV3_1
  • 2026-06-25T00:00:00.000Z: Reported to Red Hat.
  • 2026-06-25T00:00:00.000Z: Made public.
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
LinuxLinuxcdae7c07e3e3509eaabc18c1640a55dc5b99c179, cdae7c07e3e3509eaabc18c1640a55dc5b99c179, cdae7c07e3e3509eaabc18c1640a55dc5b99c179, cdae7c07e3e3509eaabc18c1640a55dc5b99c179, cdae7c07e3e3509eaabc18c1640a55dc5b99c179, cdae7c07e3e3509eaabc18c1640a55dc5b99c179, cdae7c07e3e3509eaabc18c1640a55dc5b99c179, cdae7c07e3e3509eaabc18c1640a55dc5b99c179unaffected
LinuxLinux4.15, 0, 5.10.259, 5.15.210, 6.1.176, 6.6.143, 6.12.94, 6.18.36, 7.0.13, 7.1affected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-787 · source CWE mapping

Out-of-bounds Write

Out-of-bounds Write represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.