Remote Memory-Safety Vulnerability in Deskflow by Deskflow Technologies
CVE-2026-41476

7.4HIGH

Key Information:

Vendor: Deskflow
Status: Deskflow
Vendor: CVE Published:; 24 April 2026

What is CVE-2026-41476?

A remote memory-safety vulnerability exists in Deskflow, a keyboard and mouse sharing application, prior to version 1.26.0.138. The vulnerability arises from improper validation during clipboard deserialization, allowing a connected peer to exploit this weakness by sending a malformed clipboard update. Specifically, the implementation fails to validate the internal structure of the clipboard data, leading to potential out-of-bounds read scenarios. This flaw is due to insufficient checks in ClipboardChunk::assemble(), as it only validates the outer clipboard transfer size, missing critical internal validations. Users are advised to update to version 1.26.0.138 to mitigate this risk.

Affected Version(s)

deskflow < 1.26.0.138

References

https://github.com/deskflow/deskflow/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41476 Data

JSON