Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor...

7.1 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Description

Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3.

Basic Information

ID CVE-2026-39959

Source GitHub_M

Published Apr 9, 2026 at 16:29

Modified Apr 9, 2026 at 19:32

Affected Product

Vendor tmds

Product Tmds.DBus

Version < 0.92.0

Affected Versions tmds Tmds.DBus < 0.92.0
tmds Tmds.DBus.Protocol < 0.21.3
tmds Tmds.DBus.Protocol >= 0.22.0, < 0.92.0

CWE Classification

CWE-770 CWE-290

References

github.com /tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9

{
    "lastseen": "",
    "description": "Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3.",
    "published": "2026-04-09T16:29:20.616Z",
    "modified": "2026-04-09T19:32:09.891Z",
    "type": "cve",
    "title": "Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service",
    "source": "GitHub_M",
    "references": "https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9",
    "id": "CVE-2026-39959",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770",
        "CWE-290"
    ],
    "cvelist": null,
    "sourceData": "tmds Tmds.DBus < 0.92.0\ntmds Tmds.DBus.Protocol < 0.21.3\ntmds Tmds.DBus.Protocol >= 0.22.0, < 0.92.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Tmds.DBus",
    "version": "< 0.92.0",
    "vendor": "tmds",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service_CVE-2026-39959