{"id":"CVE-2026-44988","summary":"LibVNCClient Tight Gradient decoding allows malicious server-triggered heap/stack OOB writes","details":"LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.","aliases":["GHSA-jcc5-8wj4-7c58"],"modified":"2026-07-15T17:34:34.489297Z","published":"2026-05-27T14:26:50.063Z","related":["SUSE-SU-2026:22190-1","SUSE-SU-2026:2227-1","SUSE-SU-2026:2427-1","SUSE-SU-2026:2428-1","openSUSE-SU-2026:10905-1","openSUSE-SU-2026:21118-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44988.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-787"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44988.json"},{"type":"ADVISORY","url":"https://github.com/LibVNC/libvncserver/security/advisories/GHSA-jcc5-8wj4-7c58"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44988"},{"type":"FIX","url":"https://github.com/LibVNC/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libvnc/libvncserver","events":[{"introduced":"0"},{"fixed":"5b270544b85233668b98161323297d418a8f5fd1"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"0.9.15"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["LibVNCServer-0.9.15","LibVNCServer-0.9.14","LibVNCServer-0.9.13","LibVNCServer-0.9.12","LibVNCServer-0.9.11","LibVNCServer-0.9.10","LibVNCServer-0.9.9","LibVNCServer-0.9.8","X11VNC_0_9_12","X11VNC_0_9_11","X11VNC_0_9_10","X11VNC_0_9_9","X11VNC_0_9_8","X11VNC_0_9_7","X11VNC_REL_0_9_6","X11VNC_REL_0_9_5","X11VNC_REL_0_9_4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44988.json","vanir_signatures_modified":"2026-07-15T17:34:34Z","vanir_signatures":[{"source":"https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1","target":{"file":"include/rfb/rfbclient.h"},"deprecated":false,"digest":{"line_hashes":["284112818668429985556250801126026456947","146545894552328875471240250838610427439","97822547301251185393985983941095869406","298640970006803772311626728931039709666","107040941370273155494797315645181744864","145015383660600675083683478284247979767","25480604597800297874487350170401835033"],"threshold":0.9},"id":"CVE-2026-44988-2da6fcd1","signature_type":"Line","signature_version":"v1"},{"signature_version":"v1","source":"https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1","target":{"file":"src/libvncclient/tight.c","function":"FilterGradientBPP"},"deprecated":false,"digest":{"function_hash":"243790435544429802424662206256558146553","length":1725},"id":"CVE-2026-44988-586d4fe3","signature_type":"Function"},{"deprecated":false,"digest":{"function_hash":"136204925171635408656217793287536555863","length":1212},"id":"CVE-2026-44988-6f93eb67","signature_type":"Function","signature_version":"v1","source":"https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1","target":{"file":"src/libvncclient/tight.c","function":"FilterGradient24"}},{"signature_type":"Function","signature_version":"v1","source":"https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1","target":{"function":"HandleTightBPP","file":"src/libvncclient/tight.c"},"deprecated":false,"digest":{"function_hash":"308701212265011551369703570143399261208","length":4896},"id":"CVE-2026-44988-c2936c3d"},{"signature_type":"Line","signature_version":"v1","source":"https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1","target":{"file":"src/libvncclient/tight.c"},"deprecated":false,"digest":{"line_hashes":["928713364510983443011889069010387255","125597362769918731336038997978203344292","197029662172189727370869638080297154345","131601997495272501374791808319565048851","97287441679176143791124439911402995516","45318158746677699697250290293611924448","264892418141108533868932853703503574696","143103705549547974506781061840419418289","151629486138823699008590877938019170270","130318485263964665546477862415709591453","310067960931031303696407117321227591395","317676275598388611502092189619460955782","273401502033046250098606062202721216441"],"threshold":0.9},"id":"CVE-2026-44988-f0ee344d"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}