PatchSiren cyber security CVE debrief
CVE-2026-44988 LibVNC CVE debrief
LibVNCClient versions 0.9.15 and earlier contain a heap-based buffer overflow in the Tight encoding decoder's Gradient filter. The vulnerability stems from a fixed-size 2048-pixel scratch buffer that is not validated against attacker-controlled rectangle widths in FramebufferUpdate messages. A malicious VNC server can craft a Tight-encoded rectangle with width exceeding 2048 pixels using NoZlib | ExplicitFilter and the Gradient filter, causing the client to write beyond allocated buffer boundaries during decoding. This is a server-to-client attack vector where the malicious server exploits connecting clients. The CVSS 3.1 score of 8.8 (High) reflects network attackability, low complexity, no privileges required, user interaction needed for connection establishment, and high impact across confidentiality, integrity, and availability. The vulnerability was disclosed on 2026-05-27 with a fix available via commit 5b270544b85233668b98161323297d418a8f5fd1. No known exploitation in ransomware campaigns has been reported.
- Vendor
- LibVNC
- Product
- libvncserver
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations using LibVNCClient-based VNC clients, remote desktop software vendors embedding LibVNCClient, security teams managing remote access infrastructure, and developers maintaining VNC client applications
Technical summary
The Tight encoding decoder in LibVNCClient 0.9.15 and earlier allocates fixed 2048-pixel scratch buffers for the Gradient filter but fails to validate rectangle widths against this limit. When processing a malicious FramebufferUpdate with Tight encoding, NoZlib | ExplicitFilter flags, and Gradient filter, the decoder uses the server-controlled width as a loop bound, writing beyond the fixed buffer. This out-of-bounds write occurs in heap memory during pixel decoding, potentially enabling code execution in the client process. The attack requires user interaction to initiate a VNC connection to a malicious server.
Defensive priority
high
Recommended defensive actions
- Upgrade LibVNCClient to a version incorporating commit 5b270544b85233668b98161323297d418a8f5fd1 or later
- Audit applications using LibVNCClient for embedded or outdated library versions
- Implement network segmentation to restrict VNC client connections to trusted servers only
- Monitor for anomalous VNC server behavior including unusually large framebuffer dimensions
- Apply principle of least privilege to VNC client processes to limit impact of memory corruption
- Consider using alternative VNC implementations or clients until patches are verified deployed
Evidence notes
Vulnerability description and fix commit confirmed through official GitHub Security Advisory and NVD record. CVSS vector and score sourced from NVD. CWE-787 (Out-of-bounds Write) classification from [email protected].
Official resources
2026-05-27