CVE-2026-32854

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314	Patch
https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x	Exploit Vendor Advisory
https://www.vulncheck.com/advisories/libvncserver-httpd-proxy-null-pointer-dereference	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:libvncserver_project:libvncserver:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-24 18:16

Updated : 2026-03-25 21:57

NVD link : CVE-2026-32854

Mitre link : CVE-2026-32854

CVE.ORG link : CVE-2026-32854

JSON object : View

Products Affected

libvncserver_project

libvncserver

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2026-32854", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T18:16:09.423", "references": [{"url": "https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314", "tags": ["Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x", "tags": ["Exploit", "Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/libvncserver-httpd-proxy-null-pointer-dereference", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "LibVNCServer versions 0.9.15 and prior (fixed in\u00a0commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled."}, {"lang": "es", "value": "Las versiones 0.9.15 y anteriores de LibVNCServer (corregido en el commit dc78dee) contienen vulnerabilidades de desreferencia de puntero nulo en los manejadores de proxy HTTP dentro de httpProcessInput() en httpd.c que permiten a atacantes remotos causar una denegaci\u00f3n de servicio enviando solicitudes HTTP especialmente dise\u00f1adas. Los atacantes pueden explotar la falta de validaci\u00f3n de los valores de retorno de strchr() en las rutas de manejo de proxy CONNECT y GET para desencadenar desreferencias de puntero nulo y bloquear el servidor cuando las caracter\u00edsticas httpd y de proxy est\u00e1n habilitadas."}], "lastModified": "2026-03-25T21:57:20.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:libvncserver_project:libvncserver:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A73C0099-80A6-4B55-8B34-7968BFADE90A", "versionEndExcluding": "0.9.15"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}