CVE-2026-44988 - Vulnerability Details

- LibVNCClient Tight Gradient decoding allows malicious server-triggered heap/stack OOB writes

Description

LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.

Published: 2026-05-27

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

LibVNCClient contains a Tight encoding decoder that allocates a 2048-pixel scratch buffer for the Gradient filter. The decoder fails to reject rectangles whose width exceeds this buffer size. A malicious VNC server can send a FramebufferUpdate rectangle using Tight encoding with NoZlib, ExplicitFilter, and the Gradient filter, causing the client to write beyond the fixed buffer. This out‑of‑bounds write can corrupt the heap or stack and potentially lead to arbitrary code execution.

Affected Systems

The vulnerability affects LibVNCClient libraries supplied by LibVNC:libvncserver. All versions 0.9.15 and earlier are impacted. Applications that embed LibVNCClient and establish connections to untrusted VNC servers are at risk.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity. The EPSS score is currently unavailable, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw by acting as a VNC server that sends a specially crafted rectangle. Victims must accept a connection from the attacker; the vulnerability is triggered during normal decoding of a server‑sent frame. The risk is high for systems that rely on unpatched LibVNCClient libraries when connecting to external VNC servers.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

LibVNC

libvncserver

affected

Version	Status	Constraints
`<= 0.9.15`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade LibVNCClient to a version that includes the commit 5b270544b85233668b98161323297d418a8f5fd1 or later.
If an upgrade cannot be performed immediately, restrict or deny connections to untrusted VNC servers and limit the client to approved internal servers.
Apply a local source patch that enforces a width limit of 2048 pixels for the Gradient filter or rebuild the library from the updated source code repository.

Generated by OpenCVE AI on May 27, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/LibVNC/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1
https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58

History

Thu, 28 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 27 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Description		LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib \| ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.
Title		LibVNCClient Tight Gradient decoding allows malicious server-triggered heap/stack OOB writes
Weaknesses		CWE-787
References		https://github.com/LibVNC/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1 https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T14:26:50.063Z

Updated: 2026-05-28T14:25:10.020Z

Reserved: 2026-05-08T16:23:33.265Z

Link: CVE-2026-44988

Vulnrichment

Updated: 2026-05-28T14:24:40.414Z

NVD

Status : Received

Published: 2026-05-27T15:16:29.830

Modified: 2026-05-28T16:16:25.307

Link: CVE-2026-44988

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T21:15:25Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object