Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-53147

Summary
Assigner-Linux
Assigner Org ID-416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At-25 Jun, 2026 | 08:38
Updated At-28 Jun, 2026 | 06:39
Rejected At-
Credits

thunderbolt: Validate XDomain request packet size before type cast

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Linux
Assigner Org ID:416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At:25 Jun, 2026 | 08:38
Updated At:28 Jun, 2026 | 06:39
Rejected At:
â–¼CVE Numbering Authority (CNA)
thunderbolt: Validate XDomain request packet size before type cast

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.

Affected Products
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • drivers/thunderbolt/xdomain.c
Default Status
unaffected
Versions
Affected
  • From cdae7c07e3e3509eaabc18c1640a55dc5b99c179 before a770e62923090d7572f1f5a8507ae551d354a057 (git)
  • From cdae7c07e3e3509eaabc18c1640a55dc5b99c179 before 0dd61ba03d05187726ecdf9c0e2175a81b9b24f6 (git)
  • From cdae7c07e3e3509eaabc18c1640a55dc5b99c179 before 79235c8add5da4bf27a12f5a5dbb579f300c059e (git)
  • From cdae7c07e3e3509eaabc18c1640a55dc5b99c179 before 46da5c3ea011e884028a91cf913db093920a915b (git)
  • From cdae7c07e3e3509eaabc18c1640a55dc5b99c179 before 07cd2787cdf8942d24a1a3ef81aa89b526fb6381 (git)
  • From cdae7c07e3e3509eaabc18c1640a55dc5b99c179 before a504b9f2797b739e0304d537e8aa4ce883ecce39 (git)
Vendor
Linux Kernel Organization, IncLinux
Product
Linux
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Program Files
  • drivers/thunderbolt/xdomain.c
Default Status
affected
Versions
Affected
  • 4.15
Unaffected
  • From 0 before 4.15 (semver)
  • From 6.1.176 through 6.1.* (semver)
  • From 6.6.143 through 6.6.* (semver)
  • From 6.12.94 through 6.12.* (semver)
  • From 6.18.36 through 6.18.* (semver)
  • From 7.0.13 through 7.0.* (semver)
  • From 7.1 through * (original_commit_for_fix)
Metrics
VersionBase scoreBase severityVector
3.18.1HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://git.kernel.org/stable/c/a770e62923090d7572f1f5a8507ae551d354a057
N/A
https://git.kernel.org/stable/c/0dd61ba03d05187726ecdf9c0e2175a81b9b24f6
N/A
https://git.kernel.org/stable/c/79235c8add5da4bf27a12f5a5dbb579f300c059e
N/A
https://git.kernel.org/stable/c/46da5c3ea011e884028a91cf913db093920a915b
N/A
https://git.kernel.org/stable/c/07cd2787cdf8942d24a1a3ef81aa89b526fb6381
N/A
https://git.kernel.org/stable/c/a504b9f2797b739e0304d537e8aa4ce883ecce39
N/A
Hyperlink: https://git.kernel.org/stable/c/a770e62923090d7572f1f5a8507ae551d354a057
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/0dd61ba03d05187726ecdf9c0e2175a81b9b24f6
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/79235c8add5da4bf27a12f5a5dbb579f300c059e
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/46da5c3ea011e884028a91cf913db093920a915b
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/07cd2787cdf8942d24a1a3ef81aa89b526fb6381
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/a504b9f2797b739e0304d537e8aa4ce883ecce39
Resource: N/A
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:416baaa9-dc9f-4396-8d5f-8c081fb06d67
Published At:25 Jun, 2026 | 09:16
Updated At:30 Jun, 2026 | 14:44

In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Validate XDomain request packet size before type cast tb_xdp_handle_request() casts the received packet buffer to protocol-specific structs without verifying that the allocation is large enough for the target type. A peer can send a minimal XDomain packet that passes the generic header length check but is shorter than the struct accessed after the cast, causing out-of- bounds reads from the kmemdup allocation. Plumb the packet length through xdomain_request_work and validate it against the expected struct size before each cast.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.1HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Type: Secondary
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CPE Matches

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://git.kernel.org/stable/c/07cd2787cdf8942d24a1a3ef81aa89b526fb6381416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/0dd61ba03d05187726ecdf9c0e2175a81b9b24f6416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/46da5c3ea011e884028a91cf913db093920a915b416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/79235c8add5da4bf27a12f5a5dbb579f300c059e416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/a504b9f2797b739e0304d537e8aa4ce883ecce39416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
https://git.kernel.org/stable/c/a770e62923090d7572f1f5a8507ae551d354a057416baaa9-dc9f-4396-8d5f-8c081fb06d67
N/A
Hyperlink: https://git.kernel.org/stable/c/07cd2787cdf8942d24a1a3ef81aa89b526fb6381
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/0dd61ba03d05187726ecdf9c0e2175a81b9b24f6
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/46da5c3ea011e884028a91cf913db093920a915b
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/79235c8add5da4bf27a12f5a5dbb579f300c059e
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/a504b9f2797b739e0304d537e8aa4ce883ecce39
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A
Hyperlink: https://git.kernel.org/stable/c/a770e62923090d7572f1f5a8507ae551d354a057
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

10Records found

CVE-2026-53254
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.28% / 20.12%
||
7 Day CHG+0.10%
Published-25 Jun, 2026 | 08:39
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bluetooth: RFCOMM: validate skb length in MCC handlers

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: validate skb length in MCC handlers The RFCOMM MCC handlers cast skb->data to protocol-specific structs without validating skb->len first. A malicious remote device can send truncated MCC frames and trigger out-of-bounds reads in these handlers. Fix this by using skb_pull_data() to validate and access the required data before dereferencing it. rfcomm_recv_rpn() requires special handling since ETSI TS 07.10 allows 1-byte RPN requests. Handle this by validating only the DLCI byte first, and validating the full struct only when len > 1.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-53178
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.21% / 11.66%
||
7 Day CHG+0.05%
Published-25 Jun, 2026 | 08:38
Updated-30 Jun, 2026 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: rtw_mlme: add bounds checks before ie_length subtraction Add guards to ensure ie_length is large enough before subtracting fixed IE offsets to prevent unsigned integer underflow.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-46138
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.28% / 19.47%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 09:35
Updated-24 Jun, 2026 | 17:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Fix OOB read and infinite loop in hci_le_create_big_complete_evt hci_le_create_big_complete_evt() iterates over BT_BOUND connections for a BIG handle using a while loop, accessing ev->bis_handle[i++] on each iteration. However, there is no check that i stays within ev->num_bis before the array access. When a controller sends a LE_Create_BIG_Complete event with fewer bis_handle entries than there are BT_BOUND connections for that BIG, or with num_bis=0, the loop reads beyond the valid bis_handle[] flex array into adjacent heap memory. Since the out-of-bounds values typically exceed HCI_CONN_HANDLE_MAX (0x0EFF), hci_conn_set_handle() rejects them and the connection remains in BT_BOUND state. The same connection is then found again by hci_conn_hash_lookup_big_state(), creating an infinite loop with hci_dev_lock held. Fix this by terminating the BIG if in case not all BIS could be setup properly.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-46232
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.26% / 17.10%
||
7 Day CHG~0.00%
Published-28 May, 2026 | 09:40
Updated-14 Jun, 2026 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HID: playstation: Clamp num_touch_reports

In the Linux kernel, the following vulnerability has been resolved: HID: playstation: Clamp num_touch_reports A device would never lie about the number of touch reports would it? If it does the loop in dualshock4_parse_report will read off the end of the touch_reports array, up to about 2 KiB for the maximum number of 256 loop iteraions. The data that is read is emitted via evdev if the DS4_TOUCH_POINT_INACTIVE bit happens to be set. Protect against this by clamping the num_touch_reports value provided by the device to the maximum size of the touch_reports array.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CVE-2026-43051
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.26% / 16.82%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 14:15
Updated-11 May, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq

In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacom_intuos_bt_irq The wacom_intuos_bt_irq() function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when copying data into the wacom structure. Specifically, report 0x03 requires at least 22 bytes to safely read the processed data and battery status, while report 0x04 (which falls through to 0x03) requires 32 bytes. Add explicit length checks for these report IDs and log a warning if a short report is received.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-31771
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.21% / 10.56%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 14:14
Updated-11 May, 2026 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bluetooth: hci_event: move wake reason storage into validated event handlers

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: move wake reason storage into validated event handlers hci_store_wake_reason() is called from hci_event_packet() immediately after stripping the HCI event header but before hci_event_func() enforces the per-event minimum payload length from hci_ev_table. This means a short HCI event frame can reach bacpy() before any bounds check runs. Rather than duplicating skb parsing and per-event length checks inside hci_store_wake_reason(), move wake-address storage into the individual event handlers after their existing event-length validation has succeeded. Convert hci_store_wake_reason() into a small helper that only stores an already-validated bdaddr while the caller holds hci_dev_lock(). Use the same helper after hci_event_func() with a NULL address to preserve the existing unexpected-wake fallback semantics when no validated event handler records a wake address. Annotate the helper with __must_hold(&hdev->lock) and add lockdep_assert_held(&hdev->lock) so future call paths keep the lock contract explicit. Call the helper from hci_conn_request_evt(), hci_conn_complete_evt(), hci_sync_conn_complete_evt(), le_conn_complete_evt(), hci_le_adv_report_evt(), hci_le_ext_adv_report_evt(), hci_le_direct_adv_report_evt(), hci_le_pa_sync_established_evt(), and hci_le_past_received_evt().

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CVE-2026-31393
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.26% / 16.82%
||
7 Day CHG~0.00%
Published-03 Apr, 2026 | 15:15
Updated-26 May, 2026 | 12:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Validate L2CAP_INFO_RSP payload length before access l2cap_information_rsp() checks that cmd_len covers the fixed l2cap_info_rsp header (type + result, 4 bytes) but then reads rsp->data without verifying that the payload is present: - L2CAP_IT_FEAT_MASK calls get_unaligned_le32(rsp->data), which reads 4 bytes past the header (needs cmd_len >= 8). - L2CAP_IT_FIXED_CHAN reads rsp->data[0], 1 byte past the header (needs cmd_len >= 5). A truncated L2CAP_INFO_RSP with result == L2CAP_IR_SUCCESS triggers an out-of-bounds read of adjacent skb data. Guard each data access with the required payload length check. If the payload is too short, skip the read and let the state machine complete with safe defaults (feat_mask and remote_fixed_chan remain zero from kzalloc), so the info timer cleanup and l2cap_conn_start() still run and the connection is not stalled.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-31464
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.27% / 19.16%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 13:53
Updated-11 May, 2026 | 22:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done()

In the Linux kernel, the following vulnerability has been resolved: scsi: ibmvfc: Fix OOB access in ibmvfc_discover_targets_done() A malicious or compromised VIO server can return a num_written value in the discover targets MAD response that exceeds max_targets. This value is stored directly in vhost->num_targets without validation, and is then used as the loop bound in ibmvfc_alloc_targets() to index into disc_buf[], which is only allocated for max_targets entries. Indices at or beyond max_targets access kernel memory outside the DMA-coherent allocation. The out-of-bounds data is subsequently embedded in Implicit Logout and PLOGI MADs that are sent back to the VIO server, leaking kernel memory. Fix by clamping num_written to max_targets before storing it.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-Linux
CVE-2026-31513
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.25% / 16.45%
||
7 Day CHG~0.00%
Published-22 Apr, 2026 | 13:54
Updated-11 May, 2026 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix stack-out-of-bounds read in l2cap_ecred_conn_req Syzbot reported a KASAN stack-out-of-bounds read in l2cap_build_cmd() that is triggered by a malformed Enhanced Credit Based Connection Request. The vulnerability stems from l2cap_ecred_conn_req(). The function allocates a local stack buffer (`pdu`) designed to hold a maximum of 5 Source Channel IDs (SCIDs), totaling 18 bytes. When an attacker sends a request with more than 5 SCIDs, the function calculates `rsp_len` based on this unvalidated `cmd_len` before checking if the number of SCIDs exceeds L2CAP_ECRED_MAX_CID. If the SCID count is too high, the function correctly jumps to the `response` label to reject the packet, but `rsp_len` retains the attacker's oversized value. Consequently, l2cap_send_cmd() is instructed to read past the end of the 18-byte `pdu` buffer, triggering a KASAN panic. Fix this by moving the assignment of `rsp_len` to after the `num_scid` boundary check. If the packet is rejected, `rsp_len` will safely remain 0, and the error response will only read the 8-byte base header from the stack.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
CVE-2026-31779
Matching Score-8
Assigner-kernel.org
ShareView Details
Matching Score-8
Assigner-kernel.org
CVSS Score-8.1||HIGH
EPSS-0.27% / 18.73%
||
7 Day CHG~0.00%
Published-01 May, 2026 | 14:15
Updated-11 May, 2026 | 22:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler()

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix potential out-of-bounds read in iwl_mvm_nd_match_info_handler() The memcpy function assumes the dynamic array notif->matches is at least as large as the number of bytes to copy. Otherwise, results->matches may contain unwanted data. To guarantee safety, extend the validation in one of the checks to ensure sufficient packet length. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Action-Not Available
Vendor-Linux Kernel Organization, Inc
Product-linux_kernelLinux
CWE ID-CWE-125
Out-of-bounds Read
Details not found