CVE-2026-33847
Improper Memory Buffer Restriction in LinkingVision RapidVMS
Publication date: 2026-03-24
Last updated on: 2026-04-20
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linkingvision | rapidvms | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves improper boundary checks in the memory buffer operations within the linkingvision rapidvms software, specifically in the XWD decoder component. Detection would typically involve verifying the version of rapidvms to see if it includes the fix from pull request #98 or later.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to a specific source code file and patch, direct detection on a network or system would require checking the installed rapidvms version or scanning for the vulnerable code presence.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability might include:'}, {'type': 'list_item', 'content': 'Checking the rapidvms version installed: `rapidvms --version` or equivalent.'}, {'type': 'list_item', 'content': "Searching for the presence of the vulnerable file or patch in the installation directory, e.g., `grep -r 'xwddec.c' /path/to/rapidvms`."}, {'type': 'list_item', 'content': 'Using vulnerability scanners or static code analysis tools to detect the presence of the unpatched code related to CVE-2026-33847.'}, {'type': 'paragraph', 'content': 'No specific network detection commands or signatures are provided in the available resources.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the linkingvision rapidvms software to a version that includes the fix from pull request #98 or any later release that addresses CVE-2026-33847.
This fix applies the security patch originally from FFmpeg to the cloned code in rapidvms, preventing out-of-bounds memory access in the XWD decoder.
If updating is not immediately possible, consider restricting access to the vulnerable service or disabling the affected component to reduce exposure.
Can you explain this vulnerability to me?
This vulnerability in linkingvision rapidvms involves improper restriction of operations within the bounds of a memory buffer. Specifically, it is related to an out-of-bounds array access in the XWD decoder component, caused by incomplete checks of bits per pixel (bpp) values. The issue arises because the rapidvms project cloned code from FFmpeg but did not apply a critical security patch that fixed this problem in the original FFmpeg source. As a result, the vulnerability allows operations that exceed the allocated memory buffer limits, potentially leading to memory corruption or other security issues.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including memory corruption, which may be exploited to execute arbitrary code, cause denial of service, or escalate privileges. The CVSS score of 7.8 indicates a high severity, with high impact on confidentiality, integrity, and availability. Since the attack vector is local and requires user interaction, an attacker with local access could trigger the vulnerability to compromise the system running rapidvms.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know