SCA: security update for Tmds.DBus, Tmds.DBus.Protocol (GHSA-xrw6-gwf8-vvr9)

high Tenable Self-Hosted Container Security Plugin ID 440093

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Tmds.DBus provides .NET libraries for working with D-Bus from .NET. Tmds.DBus and Tmds.DBus.Protocol are
vulnerable to malicious D-Bus peers. A peer on the same bus can spoof signals by impersonating the owner
of a well-known name, exhaust system resources or cause file descriptor spillover by sending messages with
an excessive number of Unix file descriptors, and crash the application by sending malformed message
bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability is fixed in
Tmds.DBus 0.92.0 and Tmds.DBus.Protocol 0.92.0 and 0.21.3. (CVE-2026-39959)

Solution

Update the Tmds.DBus.Protocol library and its related packages to version 0.21.3 or later.

See Also

https://github.com/advisories/GHSA-xrw6-gwf8-vvr9

Plugin Details

Severity: High

ID: 440093

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/9/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.29

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:C/A:C

CVSS Score Source: CVE-2026-39959

CVSS v3

Risk Factor: High

Base Score: 7.1

Temporal Score: 6.2

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/8/2026

Vulnerability Publication Date: 4/8/2026

Reference Information

CVE: CVE-2026-39959