In the Linux kernel, the following vulnerability has been resolved:
thunderbolt: Clamp XDomain response data copy to allocation size
tbxdppropertiesrequest() derives the per-packet copy length from the response header without checking that it fits in the previously allocated data buffer. A malicious peer can set its length field larger than the declared datalength, causing memcpy to write past the kcalloc allocation.
Clamp the per-packet copy length so that the cumulative offset never exceeds data_len.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53148.json",
"cna_assigner": "Linux"
}