High severity7.1NVD Advisory· Published Apr 9, 2026· Updated Apr 13, 2026

CVE-2026-39959

Description

Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with an excessive number of Unix file descriptors, and crash the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Tmds.DBusNuGet	< 0.92.0	0.92.0
Tmds.DBus.ProtocolNuGet	< 0.21.3	0.21.3
Tmds.DBus.ProtocolNuGet	>= 0.22.0, < 0.92.0	0.92.0

Affected products

Tmds/Tmds.dbusinferred
Range: <0.92.0, <0.21.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xrw6-gwf8-vvr9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-39959ghsaADVISORY
github.com/tmds/Tmds.DBus/releases/tag/rel%2F0.21.3ghsaWEB
github.com/tmds/Tmds.DBus/releases/tag/rel%2F0.92.0ghsaWEB
github.com/tmds/Tmds.DBus/security/advisories/GHSA-xrw6-gwf8-vvr9nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000