CVE-2026-44988

HIGH 8.8

LibVNCClient Tight Gradient decoding allows malicious server-triggered heap/stack OOB writes

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.

CWE	CWE-787
Vendor	libvnc
Product	libvncserver
Published	May 27, 2026
Last Updated	May 29, 2026

Stay Ahead of the Next One

Get instant alerts for libvnc libvncserver

Be the first to know when new high vulnerabilities affecting libvnc libvncserver are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

LibVNC / libvncserver

<= 0.9.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58 github.com: https://github.com/LibVNC/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1