HIGH 7.1 NuGet
Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service
GHSA-xrw6-gwf8-vvr9 · CVE-2026-39959
Published · Modified
Description
Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext.
Patches
The vulnerabilities are fixed in version 0.92.0.
For Tmds.DBus.Protocol, the fixes are also backported to 0.21.3.
Workarounds
There are no known workarounds. Users should upgrade to a patched version.
References
- WEB https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-39959
- PACKAGE https://github.com/tmds/Tmds.DBus
- WEB https://github.com/tmds/Tmds.DBus/releases/tag/rel%2F0.21.3
- WEB https://github.com/tmds/Tmds.DBus/releases/tag/rel%2F0.92.0
Ready to move
Start Securing
Free, no credit card | First findings in minutes