CVE-2026-39959
Spoofing and Resource Exhaustion in Tmds.DBus Libraries
Publication date: 2026-04-09
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tmds | dbus | 0.92.0 |
| tmds | dbus_protocol | 0.92.0 |
| tmds | dbus_protocol | 0.21.3 |
| tmds | dbus.protocol | 0.21.3 |
| tmds | dbus.protocol | to 0.21.3|start_including=0.22.0|end_including=0.92.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39959 affects the Tmds.DBus and Tmds.DBus.Protocol .NET libraries used for working with D-Bus. A malicious peer on the same D-Bus can exploit this vulnerability by impersonating the owner of a well-known name to spoof signals, exhaust system resources or cause file descriptor exhaustion by sending messages with too many Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a local attacker with low privileges to compromise the integrity and availability of your application. Specifically, it can lead to spoofed signals that may mislead the application, exhaustion of system resources or file descriptors causing denial of service, and application crashes due to unhandled exceptions. These impacts can disrupt normal operations and potentially cause data or service interruptions.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you must upgrade to the patched versions of the affected packages.
- Upgrade Tmds.DBus to version 0.92.0 or later.
- Upgrade Tmds.DBus.Protocol to version 0.21.3 or later.
There are no known workarounds; upgrading is the only effective mitigation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.