2461682 – (CVE-2026-41477) CVE-2026-41477 Deskflow: Deskflow: Privilege escalation and arbitrary code execution via unauthenticated IPC named pipe

Bug 2461682 (CVE-2026-41477) - CVE-2026-41477 Deskflow: Deskflow: Privilege escalation and arbitrary code execution via unauthenticated IPC named pipe

Summary: CVE-2026-41477 Deskflow: Deskflow: Privilege escalation and arbitrary code ex...

Keywords:
Status:	NEW
Alias:	CVE-2026-41477
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2463196 2463197
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-24 20:02 UTC by OSIDB Bzimport
Modified:	2026-04-27 11:48 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-24 20:02:02 UTC

Deskflow is a keyboard and mouse sharing app.  In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary commands as SYSTEM. Affects both stable v1.20.0 + and Continuous v1.26.0.134 prerelease.

Note You need to log in before you can comment on or make changes to this bug.