CVE-2026-33847
Received Received - Intake
Improper Memory Buffer Restriction in LinkingVision RapidVMS

Publication date: 2026-03-24

Last updated on: 2026-04-20

Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)

Description
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in linkingvision rapidvms.This issue affects rapidvms: before PR#96.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33847
EUVD
EUVD-2026-14746
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linkingvision rapidvms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in linkingvision rapidvms involves improper restriction of operations within the bounds of a memory buffer. Specifically, it is related to an out-of-bounds array access in the XWD decoder component, caused by incomplete checks of bits per pixel (bpp) values. The issue arises because the rapidvms project cloned code from FFmpeg but did not apply a critical security patch that fixed this problem in the original FFmpeg source. As a result, the vulnerability allows operations that exceed the allocated memory buffer limits, potentially leading to memory corruption or other security issues.

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves improper boundary checks in the memory buffer operations within the linkingvision rapidvms software, specifically in the XWD decoder component. Detection would typically involve verifying the version of rapidvms to see if it includes the fix from pull request #98 or later.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to a specific source code file and patch, direct detection on a network or system would require checking the installed rapidvms version or scanning for the vulnerable code presence.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability might include:'}, {'type': 'list_item', 'content': 'Checking the rapidvms version installed: `rapidvms --version` or equivalent.'}, {'type': 'list_item', 'content': "Searching for the presence of the vulnerable file or patch in the installation directory, e.g., `grep -r 'xwddec.c' /path/to/rapidvms`."}, {'type': 'list_item', 'content': 'Using vulnerability scanners or static code analysis tools to detect the presence of the unpatched code related to CVE-2026-33847.'}, {'type': 'paragraph', 'content': 'No specific network detection commands or signatures are provided in the available resources.'}] [1]

Mitigation Strategies

The immediate mitigation step is to update the linkingvision rapidvms software to a version that includes the fix from pull request #98 or any later release that addresses CVE-2026-33847.

This fix applies the security patch originally from FFmpeg to the cloned code in rapidvms, preventing out-of-bounds memory access in the XWD decoder.

If updating is not immediately possible, consider restricting access to the vulnerable service or disabling the affected component to reduce exposure.

Impact Analysis

This vulnerability can have serious impacts including memory corruption, which may be exploited to execute arbitrary code, cause denial of service, or escalate privileges. The CVSS score of 7.8 indicates a high severity, with high impact on confidentiality, integrity, and availability. Since the attack vector is local and requires user interaction, an attacker with local access could trigger the vulnerability to compromise the system running rapidvms.

Compliance Impact

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart