Description
Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.
Published: 2026-05-12
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deskflow is a keyboard and mouse sharing application. Before version 1.26.0.167, any TCP connection that does not begin with a valid TLS ClientHello triggers a one‑second blocking sleep on the server’s multiplexer worker thread. Because that worker services all active sockets, even legitimate TLS clients experience a one‑second pause, which, when repeated, effectively blocks input delivery to all connected screens. The weakness corresponds to uncontrolled resource consumption and improper handling of malformed input, reflected in CWE‑400 and CWE‑405.

Affected Systems

The vulnerability affects Deskflow servers running any pre‑1.26.0.167 release with TLS enabled, which is the default configuration. It is not limited to a specific operating system; any platform that runs Deskflow with TLS listening on its port is susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity remote vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the public nature of TCP listeners means an attacker can freely target the server. Because no authentication or special privileges are required, a simple traffic generator can repeatedly send malformed ClientHello messages to induce sustained DoS. Each failed handshake introduces a one‑second pause, and flooding the server at a rate of one per second or higher will keep the service unusably slow for any connected clients.

Generated by OpenCVE AI on May 12, 2026 at 22:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Deskflow to version 1.26.0.167 or later.
  • If upgrading is not possible, disable TLS on the Deskflow server or restrict access to the listening port to trusted hosts only.
  • Implement network‑level rate limiting or firewall rules to drop or limit repeated failed TLS connections.

Generated by OpenCVE AI on May 12, 2026 at 22:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Deskflow
Deskflow deskflow
Vendors & Products Deskflow
Deskflow deskflow

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.
Title Deskflow: TLS multiplexer DoS on failed `SSL_accept`
Weaknesses CWE-400
CWE-405
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Deskflow Deskflow
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T20:52:59.664Z

Reserved: 2026-05-05T17:39:31.113Z

Link: CVE-2026-44296

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:36.707

Modified: 2026-05-12T22:16:36.707

Link: CVE-2026-44296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:30:06Z

Weaknesses