Which versions of Deskflow are affected by CVE-2026-41476?

Deskflow versions prior to 1.26.0.138 contain an out-of-bounds memory read vulnerability in clipboard handling that allows authenticated network peers to crash the application or leak sensitive data.. A patch is available.

Deskflow CVE-2026-41476

Q: What is the CVSS score of CVE-2026-41476?

CVE-2026-41476 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-25622 HIGH

Classic Buffer Overflow (CWE-120)

2026-04-24 GitHub_M

Buffer Overflow Deserialization Suse

7.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Patch released

Apr 28, 2026 - 15:47 nvd

Patch available

Re-analysis Queued

Apr 24, 2026 - 21:22 vuln.today

cvss_changed

Patch available

Apr 24, 2026 - 21:02 EUVD

Analysis Generated

Apr 24, 2026 - 20:30 vuln.today

CVSS changed

Apr 24, 2026 - 20:22 NVD

7.4 (HIGH)

EUVD ID Assigned

Apr 24, 2026 - 20:15 euvd

EUVD-2026-25622

Analysis Generated

Apr 24, 2026 - 20:15 vuln.today

CVE Published

Apr 24, 2026 - 19:47 nvd

HIGH 7.4

DescriptionNVD

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a connected peer to trigger an out-of-bounds read by sending a malformed clipboard update. The issue is in the implementation of src/lib/deskflow/IClipboard.cpp. This is reachable because ClipboardChunk::assemble() in src/lib/deskflow/ClipboardChunk.cpp validates only the outer clipboard transfer size. It does not validate the internal structure of the serialized clipboard blob, so malformed inner lengths reach IClipboard::unmarshall() unchanged. This vulnerability is fixed in 1.26.0.138.

AnalysisAI

Out-of-bounds memory read in Deskflow's clipboard deserialization allows authenticated remote peers to crash the application or potentially leak memory contents. The vulnerability affects versions prior to 1.26.0.138 and stems from insufficient validation of clipboard data structure during network transfer between connected machines. …

RemediationAI

Within 24 hours: Inventory all Deskflow deployments and document current versions in use. Within 7 days: Restrict Deskflow network connectivity to trusted peer systems only via firewall rules; disable clipboard synchronization if operationally feasible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-41476 vulnerability details – vuln.today

Back

Deskflow CVE-2026-41476

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

Deskflow CVE-2026-41476

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code