{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41476", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-20T16:14:19.005Z", "datePublished": "2026-04-24T19:47:45.316Z", "dateUpdated": "2026-04-24T20:15:40.568Z"}, "containers": {"cna": {"title": "Deskflow: clipboard deserialization global-buffer-overflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "lang": "en", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh"}], "affected": [{"vendor": "deskflow", "product": "deskflow", "versions": [{"version": "< 1.26.0.138", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:47:45.316Z"}, "descriptions": [{"lang": "en", "value": "Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a connected peer to trigger an out-of-bounds read by sending a malformed clipboard update. The issue is in the implementation of src/lib/deskflow/IClipboard.cpp. This is reachable because ClipboardChunk::assemble() in src/lib/deskflow/ClipboardChunk.cpp validates only the outer clipboard transfer size. It does not validate the internal structure of the serialized clipboard blob, so malformed inner lengths reach IClipboard::unmarshall() unchanged. This vulnerability is fixed in 1.26.0.138."}], "source": {"advisory": "GHSA-3jp5-g964-cgmh", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-24T20:15:14.472198Z", "id": "CVE-2026-41476", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:15:40.568Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41476", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-24T20:15:14.472198Z"}}}], "references": [{"url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-24T20:15:35.780Z"}}], "cna": {"title": "Deskflow: clipboard deserialization global-buffer-overflow", "source": {"advisory": "GHSA-3jp5-g964-cgmh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "deskflow", "product": "deskflow", "versions": [{"status": "affected", "version": "< 1.26.0.138"}]}], "references": [{"url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh", "name": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a connected peer to trigger an out-of-bounds read by sending a malformed clipboard update. The issue is in the implementation of src/lib/deskflow/IClipboard.cpp. This is reachable because ClipboardChunk::assemble() in src/lib/deskflow/ClipboardChunk.cpp validates only the outer clipboard transfer size. It does not validate the internal structure of the serialized clipboard blob, so malformed inner lengths reach IClipboard::unmarshall() unchanged. This vulnerability is fixed in 1.26.0.138."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-24T19:47:45.316Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41476", "state": "PUBLISHED", "dateUpdated": "2026-04-24T20:15:40.568Z", "dateReserved": "2026-04-20T16:14:19.005Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-24T19:47:45.316Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:deskflow:deskflow:*:*:*:*:*:*:*:*", "matchCriteriaId": "A3A29737-D28B-4C7B-A363-E91E6D819E8C", "versionEndExcluding": "1.26.0.138", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.138, a remote memory-safety vulnerability in Deskflow's clipboard deserialization allows a connected peer to trigger an out-of-bounds read by sending a malformed clipboard update. The issue is in the implementation of src/lib/deskflow/IClipboard.cpp. This is reachable because ClipboardChunk::assemble() in src/lib/deskflow/ClipboardChunk.cpp validates only the outer clipboard transfer size. It does not validate the internal structure of the serialized clipboard blob, so malformed inner lengths reach IClipboard::unmarshall() unchanged. This vulnerability is fixed in 1.26.0.138."}], "id": "CVE-2026-41476", "lastModified": "2026-04-28T15:47:41.563", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-24T20:16:28.207", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3jp5-g964-cgmh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.26.0.138)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "deskflow", "source": "cna", "vendor": "deskflow"}, "product": "deskflow", "vendor": "deskflow"}], "analysis": {"en": {"generated_at": "2026-04-28T05:46:00.468557+00:00", "value": {"mitigation_remediation": ["Upgrade Deskflow to version 1.26.0.138 or later to eliminate the buffer overflow", "If a patch cannot be applied immediately, disable or restrict automatic clipboard sharing so that only trusted peers can send updates", "Apply network controls (e.g., firewall rules) to limit the Deskflow peer protocol to authorized hosts and monitor for anomalous clipboard traffic"], "summary": {"action": "Immediate Patch", "impact": "Information disclosure via out\u2011of\u2011bounds read"}, "threat_synthesis": {"affected_systems": "All installations of Deskflow running a version earlier than 1.26.0.138 are affected. The vulnerability exists in the core clipboard handling code and applies to every release of the application prior to the patched version.", "description_and_impact": "Deskflow, a keyboard and mouse sharing application, contains a memory\u2011safety flaw in its clipboard deserialization routine. When a connected peer sends a malformed clipboard update, the outer size of the transfer is validated, but the internal structure of the serialized data is not. The unchecked internal lengths allow Deskflow to perform an out\u2011of\u2011bounds read during unmarshalling, potentially leaking arbitrary memory contents or causing a crash. This flaw does not directly enable code execution but can expose sensitive data or destabilize the application.", "risk_and_exploitability": "The CVSS v3 score of 7.4 signifies a high severity vulnerability. The EPSS score of less than 1% indicates that the likelihood of exploitation is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The last known attack vector requires the attacker to be connected as a peer to the target Deskflow instance; the malicious payload is sent via the clipboard synchronization channel. Once connected, the attacker can send a crafted clipboard blob to trigger the vulnerability. Because the issue is remote within the peer connection, remediation should prioritize patching, while temporary mitigations can reduce exposure."}}}}, "created": "2026-04-28T06:00:09.573964+00:00", "updated": "2026-04-28T09:17:47.184781+00:00", "vendors": ["deskflow", "deskflow$PRODUCT$deskflow"]}