CVE-2026-39959: CWE-770: Allocation of Resources Without Limits or Throttling in tmds Tmds.DBus
Tmds. DBus and Tmds. DBus. Protocol . NET libraries are vulnerable to malicious D-Bus peers that can impersonate well-known names, exhaust system resources, cause file descriptor spillover, and crash applications via malformed messages. This affects versions prior to 0. 92. 0 for Tmds. DBus and prior to 0. 21.
AI Analysis
Technical Summary
The vulnerability in Tmds.DBus and Tmds.DBus.Protocol allows a malicious peer on the same D-Bus to spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with excessive Unix file descriptors, and crash the application by sending malformed message bodies that trigger unhandled exceptions on the SynchronizationContext. This is due to lack of limits or throttling on resource allocation and insufficient authentication controls. The issue affects versions prior to 0.92.0 for Tmds.DBus and prior to 0.21.3 for Tmds.DBus.Protocol. The vulnerability is fixed in the specified versions.
Potential Impact
An attacker with access to the same D-Bus can cause denial of service by exhausting system resources or crashing the application. They can also spoof signals by impersonating legitimate bus name owners, potentially disrupting application logic or causing incorrect behavior. There is no direct confidentiality impact reported. The vulnerability has a CVSS v3.1 score of 7.1 (high), reflecting high impact on integrity and availability but no impact on confidentiality.
Mitigation Recommendations
Upgrade Tmds.DBus to version 0.92.0 or later and Tmds.DBus.Protocol to version 0.92.0 or 0.21.3 or later to apply the official fix. No other mitigation guidance is provided. Patch status is confirmed by the vendor advisory embedded in the CVE description.
CVE-2026-39959: CWE-770: Allocation of Resources Without Limits or Throttling in tmds Tmds.DBus
Description
Tmds. DBus and Tmds. DBus. Protocol . NET libraries are vulnerable to malicious D-Bus peers that can impersonate well-known names, exhaust system resources, cause file descriptor spillover, and crash applications via malformed messages. This affects versions prior to 0. 92. 0 for Tmds. DBus and prior to 0. 21.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Tmds.DBus and Tmds.DBus.Protocol allows a malicious peer on the same D-Bus to spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with excessive Unix file descriptors, and crash the application by sending malformed message bodies that trigger unhandled exceptions on the SynchronizationContext. This is due to lack of limits or throttling on resource allocation and insufficient authentication controls. The issue affects versions prior to 0.92.0 for Tmds.DBus and prior to 0.21.3 for Tmds.DBus.Protocol. The vulnerability is fixed in the specified versions.
Potential Impact
An attacker with access to the same D-Bus can cause denial of service by exhausting system resources or crashing the application. They can also spoof signals by impersonating legitimate bus name owners, potentially disrupting application logic or causing incorrect behavior. There is no direct confidentiality impact reported. The vulnerability has a CVSS v3.1 score of 7.1 (high), reflecting high impact on integrity and availability but no impact on confidentiality.
Mitigation Recommendations
Upgrade Tmds.DBus to version 0.92.0 or later and Tmds.DBus.Protocol to version 0.92.0 or 0.21.3 or later to apply the official fix. No other mitigation guidance is provided. Patch status is confirmed by the vendor advisory embedded in the CVE description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T22:40:33.822Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7dc7c1cc7ad14daf451d2
Added to database: 4/9/2026, 5:06:04 PM
Last enriched: 4/9/2026, 5:21:06 PM
Last updated: 4/9/2026, 7:21:00 PM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.