CVE-2026-44988
Heap Buffer Overflow in LibVNCClient Tight Encoding
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libvncclient | libvncclient | to 0.9.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in LibVNCClient versions 0.9.15 and earlier. The Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter but does not reject rectangles wider than 2048 pixels. A malicious VNC server can send a specially crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, it processes the server-controlled rectangle width and writes beyond the fixed-size Gradient buffers, causing a buffer overflow.
How can this vulnerability impact me? :
This vulnerability can lead to serious impacts including potential remote code execution, data corruption, or denial of service. Because the buffer overflow is triggered by a malicious VNC server, an attacker could exploit this to execute arbitrary code on the client system, compromise confidentiality, integrity, and availability of the affected system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update LibVNCClient to a version that includes the fix from commit 5b270544b85233668b98161323297d418a8f5fd1, which addresses the buffer overflow issue in the Tight encoding decoder.