A pre-auth heap overflow in libvncclient's Tight decoder
GHSA-v9pm-47h4-jcq8 — a malicious VNC server can crash or take over any client built on libvncclient, default build, no auth. My first CVE, and why the client trusting the server is the whole problem.