From: Heechan Kang <gganji11@naver.com>
QEMU's VNC extended clipboard handler inflates a client-controlled
compressed clipboard payload. The code checks the declared text size
against the total inflated buffer size:
if (tsize < size)
but then copies from:
tbuf = buf + 4;
qemu_clipboard_set_data(..., tsize, tbuf, true);
The correct bound is the remaining data length after the 4-byte length
field, not the total inflated buffer length.
As a result, a VNC client can make QEMU copy up to 3 bytes past the end
of the inflated heap buffer. With a second VNC client, those copied
bytes are observable through the normal VNC extended clipboard PROVIDE
path.
Fixes: CVE-2026-8343
Reported-by: Heechan Kang <gganji11@naver.com>
Reported-by: Feifan Qian <bea1e@proton.me>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Heechan Kang <gganji11@naver.com>
[DB: added #include and 'return' statements]
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
ui/vnc-clipboard.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
index 124b6fbd9c..fa05d86f42 100644
--- a/ui/vnc-clipboard.c
+++ b/ui/vnc-clipboard.c
@@ -23,6 +23,7 @@
*/
#include "qemu/osdep.h"
+#include "qemu/error-report.h"
#include "vnc.h"
#include "vnc-jobs.h"
@@ -282,10 +283,16 @@ void vnc_client_cut_text_ext(VncState *vs, int32_t len, uint32_t flags, uint8_t
buf && size >= 4) {
uint32_t tsize = read_u32(buf, 0);
uint8_t *tbuf = buf + 4;
- if (tsize < size) {
+ if (tsize <= size - 4) {
qemu_clipboard_set_data(&vs->cbpeer, vs->cbinfo,
QEMU_CLIPBOARD_TYPE_TEXT,
tsize, tbuf, true);
+ } else {
+ error_report("vnc: malformed extended clipboard payload "
+ "with text length %u exceeding available %u",
+ tsize, size - 4);
+ vnc_client_error(vs);
+ return;
}
}
}
--
2.54.0
On Tue, May 12, 2026 at 1:57 PM Daniel P. Berrangé <berrange@redhat.com> wrote:
>
> From: Heechan Kang <gganji11@naver.com>
>
> QEMU's VNC extended clipboard handler inflates a client-controlled
> compressed clipboard payload. The code checks the declared text size
> against the total inflated buffer size:
>
> if (tsize < size)
>
> but then copies from:
>
> tbuf = buf + 4;
> qemu_clipboard_set_data(..., tsize, tbuf, true);
>
> The correct bound is the remaining data length after the 4-byte length
> field, not the total inflated buffer length.
>
> As a result, a VNC client can make QEMU copy up to 3 bytes past the end
> of the inflated heap buffer. With a second VNC client, those copied
> bytes are observable through the normal VNC extended clipboard PROVIDE
> path.
>
> Fixes: CVE-2026-8343
> Reported-by: Heechan Kang <gganji11@naver.com>
> Reported-by: Feifan Qian <bea1e@proton.me>
> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
> Signed-off-by: Heechan Kang <gganji11@naver.com>
> [DB: added #include and 'return' statements]
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
> ---
> ui/vnc-clipboard.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/ui/vnc-clipboard.c b/ui/vnc-clipboard.c
> index 124b6fbd9c..fa05d86f42 100644
> --- a/ui/vnc-clipboard.c
> +++ b/ui/vnc-clipboard.c
> @@ -23,6 +23,7 @@
> */
>
> #include "qemu/osdep.h"
> +#include "qemu/error-report.h"
> #include "vnc.h"
> #include "vnc-jobs.h"
>
> @@ -282,10 +283,16 @@ void vnc_client_cut_text_ext(VncState *vs, int32_t len, uint32_t flags, uint8_t
> buf && size >= 4) {
> uint32_t tsize = read_u32(buf, 0);
> uint8_t *tbuf = buf + 4;
> - if (tsize < size) {
> + if (tsize <= size - 4) {
> qemu_clipboard_set_data(&vs->cbpeer, vs->cbinfo,
> QEMU_CLIPBOARD_TYPE_TEXT,
> tsize, tbuf, true);
> + } else {
> + error_report("vnc: malformed extended clipboard payload "
> + "with text length %u exceeding available %u",
> + tsize, size - 4);
> + vnc_client_error(vs);
> + return;
> }
> }
> }
> --
> 2.54.0
>
>
© 2016 - 2026 Red Hat, Inc.