CVE-2026-32853

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931	Patch
https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj	Vendor Advisory
https://www.vulncheck.com/advisories/libvncserver-ultrazip-encoding-heap-out-of-bounds-read	Exploit Vendor Advisory
https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:libvncserver_project:libvncserver:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-24 18:16

Updated : 2026-03-25 20:48

NVD link : CVE-2026-32853

Mitre link : CVE-2026-32853

CVE.ORG link : CVE-2026-32853

JSON object : View

Products Affected

libvncserver_project

libvncserver

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2026-32853", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T18:16:09.253", "references": [{"url": "https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj", "tags": ["Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/libvncserver-ultrazip-encoding-heap-out-of-bounds-read", "tags": ["Exploit", "Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "LibVNCServer versions 0.9.15 and prior (fixed in\u00a0commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer."}, {"lang": "es", "value": "Las versiones 0.9.15 y anteriores de LibVNCServer (corregido en el commit 009008e) contienen una vulnerabilidad de lectura fuera de l\u00edmites de la pila en el gestor de codificaci\u00f3n UltraZip que permite a un servidor VNC malicioso causar revelaci\u00f3n de informaci\u00f3n o un fallo de la aplicaci\u00f3n. Los atacantes pueden explotar la comprobaci\u00f3n de l\u00edmites incorrecta en la funci\u00f3n HandleUltraZipBPP() manipulando los recuentos de encabezados de subrect\u00e1ngulos para leer m\u00e1s all\u00e1 del b\u00fafer de pila asignado."}], "lastModified": "2026-03-25T20:48:30.733", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libvncserver_project:libvncserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A73C0099-80A6-4B55-8B34-7968BFADE90A", "versionEndExcluding": "0.9.15"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}