CVE-2026-44988— LibVNCClient Tight Gradient decoding allows malicious server-triggered heap/stack OOB writes
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| LibVNC | libvncserver | <= 0.9.15 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44988
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LibVNCClient Tight Gradient decoding allows malicious server-triggered heap/stack OOB writes
Source: NVD (National Vulnerability Database)
Vulnerability Description
LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存写
Source: NVD (National Vulnerability Database)
Vulnerability Title
LibVNCServer 缓冲区错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
LibVNCServer是LibVNC开源的一款支持在程序中实现VNC(虚拟网络计算)服务器或客户端功能的跨平台C语言库。 LibVNCServer 0.9.15及之前版本存在缓冲区错误漏洞,该漏洞源于Tight编码解码器使用固定大小的2048像素暂存缓冲区用于Gradient过滤器,但未拒绝宽度大于2048像素的Tight矩形,可能导致缓冲区写入越界。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| LibVNC | libvncserver | <= 0.9.15 | - |
II. Public POCs for CVE-2026-44988
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 10685 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-44988
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-44988 (1)
Vendor Advisories for CVE-2026-44988 (1)
IV. Related Vulnerabilities
Same weakness: CWE-787
- CVE-2026-6676
Avira antivirus engine heap buffer OOB write when scanning a - CVE-2025-14098
Avira antivirus engine heap buffer OOB write when scanning a - CVE-2025-7004
Avast antivirus heap buffer OOB write when scanning a malfor - CVE-2026-41157
GPU DDK - OOB Write in CalculateNPOTTwiddleSparsePageMap3D - CVE-2026-34195
GPU DDK - Kernel heap OOB write in PMRChangeSparseMemOSMem d
V. Comments for CVE-2026-44988
No comments yet