{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39959", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.822Z", "datePublished": "2026-04-09T16:29:20.616Z", "dateUpdated": "2026-04-09T19:32:09.891Z"}, "containers": {"cna": {"title": "Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9"}], "affected": [{"vendor": "tmds", "product": "Tmds.DBus", "versions": [{"version": "< 0.92.0", "status": "affected"}]}, {"vendor": "tmds", "product": "Tmds.DBus.Protocol", "versions": [{"version": "< 0.21.3", "status": "affected"}, {"version": ">= 0.22.0, < 0.92.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:29:20.616Z"}, "descriptions": [{"lang": "en", "value": "Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3."}], "source": {"advisory": "GHSA-xrw6-gwf8-vvr9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T17:38:26.439943Z", "id": "CVE-2026-39959", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T19:32:09.891Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39959", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T22:40:33.822Z", "datePublished": "2026-04-09T16:29:20.616Z", "dateUpdated": "2026-04-09T19:32:09.891Z"}, "containers": {"cna": {"title": "Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-290", "lang": "en", "description": "CWE-290: Authentication Bypass by Spoofing", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9"}], "affected": [{"vendor": "tmds", "product": "Tmds.DBus", "versions": [{"version": "< 0.92.0", "status": "affected"}]}, {"vendor": "tmds", "product": "Tmds.DBus.Protocol", "versions": [{"version": "< 0.21.3", "status": "affected"}, {"version": ">= 0.22.0, < 0.92.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T16:29:20.616Z"}, "descriptions": [{"lang": "en", "value": "Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3."}], "source": {"advisory": "GHSA-xrw6-gwf8-vvr9", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39959", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T17:38:26.439943Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T17:38:30.904Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3."}], "id": "CVE-2026-39959", "lastModified": "2026-04-13T15:02:27.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T17:16:30.440", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-290"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.92.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tmds.DBus", "source": "cna", "vendor": "tmds"}, "product": "tmds.dbus", "vendor": "tmds"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.21.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.22.0,0.92.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Tmds.DBus.Protocol", "source": "cna", "vendor": "tmds"}, "product": "tmds.dbus.protocol", "vendor": "tmds"}], "analysis": {"en": {"generated_at": "2026-04-09T18:50:50.791467+00:00", "value": {"mitigation_remediation": ["Apply the latest patched versions: Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.21.3.", "Configure the system bus to allow only authorized clients or run the application in a sandbox that restricts peer access.", "If patching is not immediately possible, disable or remove the susceptible libraries from the application and limit D\u2011Bus usage.", "Monitor D\u2011Bus traffic for abnormal message patterns, especially high volumes of file descriptors or malformed messages."], "summary": {"action": "Patch Immediately", "impact": "Denial of Service and Signal Spoofing"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Tmds.DBus and Tmds.DBus.Protocol .NET libraries. Versions prior to 0.92.0 for Tmds.DBus and prior to 0.21.3 for Tmds.DBus.Protocol are susceptible.", "description_and_impact": "Malicious peers on the same D\u2011Bus can impersonate the owner of a well\u2011known name and send forged signals, overwhelm the application with an excessive number of Unix file descriptors, or deliver malformed message bodies that trigger unhandled exceptions, all of which can cause the application to crash or misbehave.", "risk_and_exploitability": "With a CVSS score of 7.1 the issue is high severity. No EPSS score is available and the vulnerability is not listed in the KEV catalog. Exploitation requires a malicious peer on the same bus, so the risk is chiefly local or in environments where untrusted applications can attach to the bus. Successful exploitation can lead to resource exhaustion, application crashes, and the delivery of deceptive signals to components that trust the bus."}}}}, "created": "2026-04-10T08:52:58.942818+00:00", "updated": "2026-04-10T09:32:10.817989+00:00", "vendors": ["tmds", "tmds$PRODUCT$tmds.dbus", "tmds$PRODUCT$tmds.dbus.protocol"]}