CVE-2026-44296

HIGH

Deskflow: TLS multiplexer DoS on failed `SSL_accept`

Title source: cna

Description

Deskflow is a keyboard and mouse sharing app. Prior to 1.26.0.167, a remote, unauthenticated denial of service (DoS) vulnerability affects Deskflow servers running with TLS enabled (the default). When any TCP peer connects to the listening port and its first bytes do not parse as a valid TLS ClientHello, SecureSocket::secureAccept enters its fatal-error branch and calls Arch::sleep(1) (a blocking 1-second sleep) on the multiplexer worker thread. That thread services every socket on the server, including established TLS clients delivering mouse motion, keyboard events, and clipboard updates. A single failed handshake therefore stalls input delivery to all connected screens for ~1 second, and a sustained drip of malformed connections (≥ 1/s) makes the server effectively unusable while the attack persists. This vulnerability is fixed in 1.26.0.167.

References (2)

Core 2

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/deskflow/deskflow/security/advisories/GHSA-3mxm-cgh2-6448

X_Refsource_Misc x_refsource_misc

https://github.com/deskflow/deskflow/commit/329783490bd16774ba903b84212467d20d76bfba

View Writeup ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0028

EPSS Percentile 19.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-400 CWE-405

Status published

Products (1)

deskflow/deskflow < 1.26.0.167

Published May 12, 2026

Tracked Since May 13, 2026