Skip to main content

LibVNCClient CVE-2026-44988

| EUVDEUVD-2026-32525 HIGH
Out-of-bounds Write (CWE-787)
2026-05-27 security-advisories@github.com
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 20:12 vuln.today
Analysis Generated
May 27, 2026 - 20:12 vuln.today

DescriptionGitHub Advisory

LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.

AnalysisAI

Out-of-bounds write in LibVNCClient (shipped in the LibVNCServer project, versions 0.9.15 and earlier) lets a malicious or compromised VNC server corrupt memory in any client that connects to it. The Tight encoding decoder's Gradient filter uses fixed 2048-pixel scratch buffers but never validates the server-supplied rectangle width, so a crafted FramebufferUpdate with a width above 2048 overruns those buffers, threatening confidentiality, integrity, and availability (CVSS 8.8). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue is fixed by upstream commit 5b270544.

Technical ContextAI

The flaw lives in the RFB (Remote Framebuffer / VNC) protocol's Tight encoding path inside src/libvncclient/tight.c. Tight encoding supports an ExplicitFilter mode whose Gradient filter (functions FilterGradient24 and FilterGradientBPP) predicts each pixel from neighboring rows, requiring per-row scratch storage. That storage is statically sized for 2048 pixels: the client struct field tightPrevRow[2048*3*sizeof(uint16_t)] plus the on-stack arrays thisRow[2048*3] (8-bit) and thisRow[2048*3] (uint16_t). Because the decoder copies the server-controlled rectangle width (rw) into these buffers without bounds-checking it against the 2048-pixel capacity, a wider rectangle writes past the buffer ends - a textbook CWE-787 (Out-of-bounds Write). The fix introduces a TIGHT_GRADIENT_MAX_WIDTH (2048) constant and rejects any Tight rectangle whose width exceeds it in HandleTightBPP before the filter runs.

RemediationAI

Upstream fix available (commit 5b270544b85233668b98161323297d418a8f5fd1); a released, tagged patched version is not independently confirmed from the provided data, so update to a LibVNCServer build that incorporates that commit - rebuild from current upstream master or backport the patch, which adds the rw > 2048 rectangle-width check in HandleTightBPP - and rebuild every downstream application that links libvncclient. Track the vendor advisory at https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58 and the fix at https://github.com/LibVNC/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1 for an official release. Until patched binaries are deployed, the practical compensating control is to connect clients only to trusted VNC servers over authenticated, integrity-protected channels (e.g., SSH/TLS tunnels) to block MITM injection of malicious FramebufferUpdate data; if your client stack lets you negotiate encodings, disabling Tight encoding avoids the vulnerable Gradient path entirely, at the cost of falling back to less bandwidth-efficient encodings.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-44988 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy