CVE-2026-57965
Received Received - Intake

Integer Overflow in spice-vdagent Leading to DoS

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: Red Hat, Inc.

Description
A flaw was found in spice-vdagent. A malicious or compromised SPICE host can trigger an integer overflow by sending a specially crafted message. This vulnerability can lead to a heap buffer overflow, causing the spice-vdagent daemon to crash and resulting in a Denial of Service (DoS) for the virtual machine. This issue requires the SPICE host to be untrusted or compromised for exploitation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-57965
EUVD
EUVD-2026-40049

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
spice spice-vdagent From 0xFFFFFFF1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57965 is an integer overflow vulnerability in the spice-vdagent software, specifically in the udscs_write() function. The flaw occurs when calculating a buffer size using a 32-bit unsigned integer, which can wrap around if a specially crafted large size value is provided. This causes a very small buffer to be allocated, but then a large amount of data is copied into it, leading to a heap buffer overflow.

The vulnerability can be triggered by a malicious or compromised SPICE host sending a crafted message with an excessively large size field in clipboard or file transfer messages. This results in the spice-vdagent daemon crashing and causing a Denial of Service (DoS) for the virtual machine.

Impact Analysis

This vulnerability can cause the spice-vdagent daemon to crash due to a heap buffer overflow, resulting in a Denial of Service (DoS) for the affected virtual machine.

Exploitation requires a malicious or compromised SPICE host, so if the host is trusted and secure, the risk is reduced. However, if exploited, it can disrupt the availability of the virtual machine services.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or abnormal behavior of the spice-vdagent daemon, as exploitation causes a heap buffer overflow leading to a crash (SIGBUS signal). Detection can also involve analyzing messages from the SPICE host for unusually large size values in clipboard or file transfer messages, specifically the VDAgentMessage.size field.

Since the issue arises from an integer overflow when the size field is 0xFFFFFFF1 or larger, you can inspect network traffic or logs for such suspiciously large size values in SPICE protocol messages.

No specific commands are provided in the resources, but general approaches include:

  • Using packet capture tools (e.g., tcpdump or Wireshark) to filter and analyze SPICE protocol messages for abnormal size fields.
  • Monitoring the spice-vdagent process for crashes or abnormal termination using system logs or process monitoring tools.
  • Running the spice-vdagent daemon with AddressSanitizer or similar memory error detection tools to catch heap buffer overflows during testing.
Mitigation Strategies

Immediate mitigation steps include ensuring that the SPICE host is trusted and not compromised, as exploitation requires a malicious or compromised SPICE host to send crafted messages.

Additionally, consider updating or patching the spice-vdagent software to a version where this vulnerability is fixed, if such an update is available.

If patching is not immediately possible, restricting or monitoring SPICE host communications to prevent untrusted hosts from sending messages to the spice-vdagent daemon can reduce risk.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57965. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart