CVE-2026-39959 | tmds Tmds.DBus/Tmds.DBus.Protocol up to 0.91.x SynchronizationContext allocation of resources (GHSA-xrw6-gwf8-vvr9)
VulDBArchived Apr 09, 2026✓ Full text saved
A vulnerability was found in tmds Tmds.DBus and Tmds.DBus.Protocol up to 0.91.x . It has been classified as problematic . The impacted element is an unknown function of the component SynchronizationContext . The manipulation leads to allocation of resources. This vulnerability is uniquely identified as CVE-2026-39959 . Local access is required to approach this attack. No exploit exists. Upgrading the affected component is recommended.
Full text archived locally
✦ AI Summary· Claude Sonnet
VDB-356628 · CVE-2026-39959 · GHSA-XRW6-GWF8-VVR9
TMDS TMDS.DBUS/TMDS.DBUS.PROTOCOL UP TO 0.91.X SYNCHRONIZATIONCONTEXT ALLOCATION OF RESOURCES
HISTORYDIFFRELATEJSONXMLCTI
CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score
5.6 $0-$5k 0.81+
Summaryinfo
A vulnerability was found in tmds Tmds.DBus and Tmds.DBus.Protocol up to 0.91.x. It has been declared as problematic. This affects an unknown function of the component SynchronizationContext. The manipulation results in allocation of resources. This vulnerability was named CVE-2026-39959. The attack needs to be approached locally. There is no available exploit. It is recommended to upgrade the affected component.
Detailsinfo
A vulnerability, which was classified as problematic, was found in tmds Tmds.DBus and Tmds.DBus.Protocol up to 0.91.x. Affected is some unknown processing of the component SynchronizationContext. The manipulation with an unknown input leads to a allocation of resources vulnerability. CWE is classifying the issue as CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. This is going to have an impact on integrity, and availability. CVE summarizes:
Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3.
The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-39959 since 04/08/2026. The exploitability is told to be easy. The attack needs to be approached locally. There are neither technical details nor an exploit publicly available.
Upgrading to version 0.92.0 eliminates this vulnerability.
Productinfo
Vendor
tmds
Name
Tmds.DBus
Tmds.DBus.Protocol
Version
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
0.10
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.20
0.21
0.22
0.23
0.24
0.25
0.26
0.27
0.28
0.29
0.30
0.31
0.32
0.33
0.34
0.35
0.36
0.37
0.38
0.39
0.40
0.41
0.42
0.43
0.44
0.45
0.46
0.47
0.48
0.49
0.50
0.51
0.52
0.53
0.54
0.55
0.56
0.57
0.58
0.59
0.60
0.61
0.62
0.63
0.64
0.65
0.66
0.67
0.68
0.69
0.70
0.71
0.72
0.73
0.74
0.75
0.76
0.77
0.78
0.79
0.80
0.81
0.82
0.83
0.84
0.85
0.86
0.87
0.88
0.89
0.90
0.91
Website
Product: https://github.com/tmds/Tmds.DBus/
CPE 2.3info
🔒
🔒
🔒
CPE 2.2info
🔒
🔒
🔒
CVSSv4info
VulDB Vector: 🔒
VulDB Reliability: 🔍
CVSSv3info
VulDB Meta Base Score: 5.7
VulDB Meta Temp Score: 5.6
VulDB Base Score: 4.4
VulDB Temp Score: 4.2
VulDB Vector: 🔒
VulDB Reliability: 🔍
CNA Base Score: 7.1
CNA Vector (GitHub_M): 🔒
CVSSv2info
Vector Complexity Authentication Confidentiality Integrity Availability
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
Unlock Unlock Unlock Unlock Unlock Unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Exploitinginfo
Class: Allocation of resources
CWE: CWE-770 / CWE-400 / CWE-404
CAPEC: 🔒
ATT&CK: 🔒
Physical: Partially
Local: Yes
Remote: No
Availability: 🔒
Status: Not defined
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day Unlock Unlock Unlock Unlock
Today Unlock Unlock Unlock Unlock
Threat Intelligenceinfo
Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍
Countermeasuresinfo
Recommended: Upgrade
Status: 🔍
0-Day Time: 🔒
Upgrade: Tmds.DBus/Tmds.DBus.Protocol 0.92.0
Timelineinfo
04/08/2026 CVE reserved
04/09/2026 +1 days Advisory disclosed
04/09/2026 +0 days VulDB entry created
04/09/2026 +0 days VulDB entry last update
Sourcesinfo
Product: github.com
Advisory: GHSA-xrw6-gwf8-vvr9
Status: Confirmed
CVE: CVE-2026-39959 (🔒)
GCVE (CVE): GCVE-0-2026-39959
GCVE (VulDB): GCVE-100-356628
Entryinfo
Created: 04/09/2026 19:44
Changes: 04/09/2026 19:44 (64)
Complete: 🔍
Cache ID: 99:414:101
Discussion
No comments yet. Languages: en.
Please log in to comment.
◂ PreviousOverviewNext ▸