CVE-2026-44296

Name of the Vulnerable Software and Affected Versions Deskflow versions prior to 1.26.0.167

Description Remote, unauthenticated denial of service (DoS) affects servers running with TLS enabled. When a TCP peer connects to the listening port and the initial bytes are not a valid TLS ClientHello, the SecureSocket::secureAccept() function triggers a fatal-error branch and executes Arch::sleep(1)(). This causes a blocking 1-second sleep on the multiplexer worker thread, which is responsible for servicing all sockets, including those delivering mouse motion, keyboard events, and clipboard updates. Consequently, a single failed handshake stalls input delivery to all connected screens for approximately one second, and a continuous stream of malformed connections (one or more per second) renders the server unusable.

Recommendations Update to version 1.26.0.167.