logo

Database

Asymmetric denial of service - ReDoS In tmds.dbus.protocol

Description

Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext.

Patches

The vulnerabilities are fixed in version 0.92.0. For Tmds.DBus.Protocol, the fixes are also backported to 0.21.3.

Workarounds

There are no known workarounds. Users should upgrade to a patched version.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-399592. NVD-2026-399593. OSV-2026-399594. GHSA-xrw6-gwf8-vvr95. GCVE-2026-39959

References

1. https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr92. https://github.com/tmds/Tmds.DBus/releases/tag/rel%2F0.21.33. https://github.com/tmds/Tmds.DBus/releases/tag/rel%2F0.92.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.