CVE-2026-44296

HIGH EPSS 19.6%
Published May 12, 20261mo ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published May 12, 2026 1mo ago
Last Modified Jun 17, 2026 2w ago

Description

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
19.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-400 Uncontrolled Resource Consumption Resource Mgmt
CWE-405

References 2

  • github.com https://github.com/deskflow/deskflow/commit/329783490bd16774ba903b84212467d20d76bfba
  • github.com https://github.com/deskflow/deskflow/security/advisories/GHSA-3mxm-cgh2-6448

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.