Cyber Resilience

CVE-2026-39959

High

Published: 09 April 2026

Published
09 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0001 0.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39959 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Endpoint Denial of Service (T1499); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-10 (Information Input Validation).

Deeper analysis

Tmds.DBus and Tmds.DBus.Protocol, .NET libraries for interacting with the D-Bus interprocess communication system, are affected by CVE-2026-39959. The vulnerability allows malicious D-Bus peers to spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover through messages with an excessive number of Unix file descriptors, and crash applications via malformed message bodies that trigger unhandled exceptions on the SynchronizationContext. This issue, associated with CWE-290 (Authentication Bypass/Masquerading) and CWE-770 (Allocation of Resources Without Limits or Throttling), carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

Exploitation requires a malicious peer on the same D-Bus bus, typically feasible for a local attacker with low privileges. Such an actor can achieve signal spoofing to manipulate communications, resource exhaustion or file descriptor leaks leading to denial of service, and application crashes, resulting in high integrity and availability impacts without confidentiality loss.

The vulnerability is addressed in Tmds.DBus version 0.92.0 and Tmds.DBus.Protocol versions 0.92.0 and 0.21.3. Additional details are available in the GitHub security advisory at https://github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9.

EU & UK References

Vulnerability details

Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or…

more

cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499 Endpoint Denial of Service Impact
Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.
T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability enables endpoint DoS via resource exhaustion (excessive FDs) and crashes from malformed messages (T1499); also allows signal spoofing/impersonation to manipulate transmitted communications (T1565.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-8486Shared CWE-770
CVE-2024-46933Shared CWE-770
CVE-2020-36950Shared CWE-770
CVE-2024-55925Shared CWE-290
CVE-2024-8273Shared CWE-290
CVE-2021-47791Shared CWE-770
CVE-2026-40395Shared CWE-770
CVE-2026-33131Shared CWE-290
CVE-2026-35457Shared CWE-770
CVE-2026-35401Shared CWE-770

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching Tmds.DBus to version 0.92.0 or later directly eliminates the spoofing, resource exhaustion, and crash vulnerabilities.

prevent

Resource availability controls enforce limits on allocation to prevent exhaustion and file descriptor spillover from excessive Unix file descriptors in D-Bus messages.

prevent

Information input validation rejects malformed D-Bus message bodies and excessive file descriptors, preventing application crashes and resource exhaustion.

References