CVE-2026-39959 HIGH

CVE-2026-39959: Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service

Vendor Tmds
Product Tmds.DBus
Weakness CWE-770 · Uncontrolled resource consumption
Published April 9, 2026
Last update April 9, 2026

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3.

Key dates

02Disclosure timeline

April 9, 2026 CVE published
April 9, 2026 Record updated