CVE-2026-39959
Received Received - Intake
Spoofing and Resource Exhaustion in Tmds.DBus Libraries

Publication date: 2026-04-09

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-39959
EUVD
EUVD-2026-20964
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
tmds dbus 0.92.0
tmds dbus_protocol 0.92.0
tmds dbus_protocol 0.21.3
tmds dbus.protocol 0.21.3
tmds dbus.protocol to 0.21.3|start_including=0.22.0|end_including=0.92.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-39959 affects the Tmds.DBus and Tmds.DBus.Protocol .NET libraries used for working with D-Bus. A malicious peer on the same D-Bus can exploit this vulnerability by impersonating the owner of a well-known name to spoof signals, exhaust system resources or cause file descriptor exhaustion by sending messages with too many Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext.

Impact Analysis

This vulnerability can impact you by allowing a local attacker with low privileges to compromise the integrity and availability of your application. Specifically, it can lead to spoofed signals that may mislead the application, exhaustion of system resources or file descriptors causing denial of service, and application crashes due to unhandled exceptions. These impacts can disrupt normal operations and potentially cause data or service interruptions.

Mitigation Strategies

To mitigate this vulnerability, you must upgrade to the patched versions of the affected packages.

  • Upgrade Tmds.DBus to version 0.92.0 or later.
  • Upgrade Tmds.DBus.Protocol to version 0.21.3 or later.

There are no known workarounds; upgrading is the only effective mitigation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-39959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart