LibVNCClient is a library for easy implementation of a VNC client. In 0.9.15 and earlier, LibVNCClient's Tight encoding decoder uses fixed-size 2048-pixel scratch buffers for the Gradient filter, but it does not reject Tight rectangles whose width is larger than 2048 pixels. A malicious VNC server can send a crafted FramebufferUpdate rectangle using Tight encoding with NoZlib | ExplicitFilter and the Gradient filter. When a LibVNCClient-based client connects, the client processes the server-controlled rectangle width and writes beyond fixed-size Gradient buffers. This vulnerability is fixed with commit 5b270544b85233668b98161323297d418a8f5fd1.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44988.json",
"cwe_ids": [
"CWE-787"
],
"cna_assigner": "GitHub_M"
}[
{
"source": "https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"284112818668429985556250801126026456947",
"146545894552328875471240250838610427439",
"97822547301251185393985983941095869406",
"298640970006803772311626728931039709666",
"107040941370273155494797315645181744864",
"145015383660600675083683478284247979767",
"25480604597800297874487350170401835033"
]
},
"id": "CVE-2026-44988-2da6fcd1",
"signature_type": "Line",
"target": {
"file": "include/rfb/rfbclient.h"
}
},
{
"source": "https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "243790435544429802424662206256558146553",
"length": 1725.0
},
"id": "CVE-2026-44988-586d4fe3",
"signature_type": "Function",
"target": {
"function": "FilterGradientBPP",
"file": "src/libvncclient/tight.c"
}
},
{
"source": "https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "136204925171635408656217793287536555863",
"length": 1212.0
},
"id": "CVE-2026-44988-6f93eb67",
"signature_type": "Function",
"target": {
"function": "FilterGradient24",
"file": "src/libvncclient/tight.c"
}
},
{
"source": "https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "308701212265011551369703570143399261208",
"length": 4896.0
},
"id": "CVE-2026-44988-c2936c3d",
"signature_type": "Function",
"target": {
"function": "HandleTightBPP",
"file": "src/libvncclient/tight.c"
}
},
{
"source": "https://github.com/libvnc/libvncserver/commit/5b270544b85233668b98161323297d418a8f5fd1",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"928713364510983443011889069010387255",
"125597362769918731336038997978203344292",
"197029662172189727370869638080297154345",
"131601997495272501374791808319565048851",
"97287441679176143791124439911402995516",
"45318158746677699697250290293611924448",
"264892418141108533868932853703503574696",
"143103705549547974506781061840419418289",
"151629486138823699008590877938019170270",
"130318485263964665546477862415709591453",
"310067960931031303696407117321227591395",
"317676275598388611502092189619460955782",
"273401502033046250098606062202721216441"
]
},
"id": "CVE-2026-44988-f0ee344d",
"signature_type": "Line",
"target": {
"file": "src/libvncclient/tight.c"
}
}
]
"2026-07-15T17:34:34Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44988.json"