LibVNCServer UltraZip Encoding Heap Out-of-bounds Read_CVE-2026-32853

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Description

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

Basic Information

ID CVE-2026-32853

Source VulnCheck

Published Mar 24, 2026 at 17:30

Modified Mar 25, 2026 at 13:41

Affected Product

Vendor LibVNC

Product LibVNCServer

Affected Versions LibVNC LibVNCServer 0

CWE Classification

CWE-125

References

{
    "lastseen": "",
    "description": "LibVNCServer versions 0.9.15 and prior (fixed in\u00a0commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.",
    "published": "2026-03-24T17:30:40.061Z",
    "modified": "2026-03-25T13:41:15.171Z",
    "type": "cve",
    "title": "LibVNCServer UltraZip Encoding Heap Out-of-bounds Read",
    "source": "VulnCheck",
    "references": "https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj\nhttps://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931\nhttps://www.vulncheck.com/advisories/libvncserver-ultrazip-encoding-heap-out-of-bounds-read",
    "id": "CVE-2026-32853",
    "bulletinFamily": "",
    "cwe": [
        "CWE-125"
    ],
    "cvelist": null,
    "sourceData": "LibVNC LibVNCServer 0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LibVNCServer",
    "version": "0",
    "vendor": "LibVNC",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}