GHSA-xrw6-gwf8-vvr9

Source

https://github.com/advisories/GHSA-xrw6-gwf8-vvr9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xrw6-gwf8-vvr9/GHSA-xrw6-gwf8-vvr9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xrw6-gwf8-vvr9

Aliases

CVE-2026-39959

Published

2026-04-08T19:52:58Z

Modified

2026-04-09T19:18:51.630907Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service

Details

Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext.

Patches

The vulnerabilities are fixed in version 0.92.0. For Tmds.DBus.Protocol, the fixes are also backported to 0.21.3.

Workarounds

There are no known workarounds. Users should upgrade to a patched version.

Database specific

{
    "nvd_published_at": "2026-04-09T17:16:30Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-290",
        "CWE-400"
    ],
    "github_reviewed_at": "2026-04-08T19:52:58Z"
}

References

Affected packages

NuGet / Tmds.DBus

Package

Name: Tmds.DBus; View open source insights on deps.dev
Purl: pkg:nuget/Tmds.DBus

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.92.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.5.0

0.6.0

0.7.0

0.8.0

0.9.0

0.9.1

0.10.1

0.11.0

0.12.0

0.13.0

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

0.19.0

0.20.0

0.21.0

0.21.1

0.21.2

0.22.0

0.23.0

0.90.0

0.90.1

0.90.2

0.90.3

0.91.0

0.91.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xrw6-gwf8-vvr9/GHSA-xrw6-gwf8-vvr9.json"

NuGet / Tmds.DBus.Protocol

Package

Name: Tmds.DBus.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/Tmds.DBus.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.21.3

Affected versions

0.*

0.12.0

0.13.0

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

0.19.0

0.20.0

0.21.0

0.21.1

0.21.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xrw6-gwf8-vvr9/GHSA-xrw6-gwf8-vvr9.json"

NuGet / Tmds.DBus.Protocol

Package

Name: Tmds.DBus.Protocol; View open source insights on deps.dev
Purl: pkg:nuget/Tmds.DBus.Protocol

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.22.0

Fixed

0.92.0

Affected versions

0.*

0.22.0

0.23.0

0.90.0

0.90.1

0.90.2

0.90.3

0.91.0

0.91.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xrw6-gwf8-vvr9/GHSA-xrw6-gwf8-vvr9.json"