CVE-2026-44988

EUVD-2026-32525
LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
GitHub_MCNA
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 15%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
libvnc_projectlibvncserver
𝑥
≤ 0.9.15
CNA
Debian logo
Debian Releases
Debian Product
Codename
libvncserver
bookworm
0.9.14+dfsg-1+deb12u2
fixed
bullseye
vulnerable
forky
0.9.15+dfsg-6
fixed
sid
0.9.15+dfsg-6
fixed
trixie
0.9.15+dfsg-1+deb13u2
fixed
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
LibVNCServer-devel
suse enterprise server 12 SP5
0.9.9-17.47.1
fixed
libvncclient0
suse enterprise server 12 SP3
0.9.9-17.47.1
fixed
suse enterprise server 12 SP5
0.9.9-17.47.1
fixed
libvncclient1
suse enterprise desktop 15 SP7
0.9.14-150600.3.9.1
fixed
suse enterprise sap 15 SP7
0.9.14-150600.3.9.1
fixed
suse enterprise server 15 SP7
0.9.14-150600.3.9.1
fixed
suse enterprise workstation 15 SP7
0.9.14-150600.3.9.1
fixed
libvncserver0
suse enterprise server 12 SP3
0.9.9-17.47.1
fixed
suse enterprise server 12 SP5
0.9.9-17.47.1
fixed
libvncserver1
suse enterprise desktop 15 SP7
0.9.14-150600.3.9.1
fixed
suse enterprise sap 15 SP7
0.9.14-150600.3.9.1
fixed
suse enterprise server 15 SP7
0.9.14-150600.3.9.1
fixed
suse enterprise workstation 15 SP7
0.9.14-150600.3.9.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
libvncserver
Amazon Linux 2
0:0.9.9-14.amzn2.0.3
fixed
libvncserver-debuginfo
Amazon Linux 2
0:0.9.9-14.amzn2.0.3
fixed
libvncserver-devel
Amazon Linux 2
0:0.9.9-14.amzn2.0.3
fixed