MidnightBSD

Advisories for libvncserver_project

CVE-2016-9941 HIGH

Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libvncserver_project libvncserver *
CVE-2016-9942 HIGH

Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-119,

Products Affected

Vendor Product Version
libvncserver_project libvncserver 0.9.10
CVE-2017-18922 HIGH

It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, causing a heap-based buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
opensuse leap 15.2
siemens simatic_itc1900_pro_firmware *
siemens simatic_itc2200_pro_firmware *
canonical ubuntu_linux 18.04
siemens simatic_itc1500_firmware *
siemens simatic_itc1500_pro_firmware *
libvncserver_project libvncserver *
fedoraproject fedora 31
canonical ubuntu_linux 16.04
siemens simatic_itc1900_firmware *
fedoraproject fedora 32
canonical ubuntu_linux 20.04
canonical ubuntu_linux 19.10
opensuse leap 15.1
siemens simatic_itc2200_firmware *
CVE-2018-7225 HIGH

An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-190,

Products Affected

Vendor Product Version
redhat enterprise_linux_server 7.0
redhat enterprise_linux_server_aus 7.6
debian debian_linux 9.0
canonical ubuntu_linux 17.10
redhat enterprise_linux_workstation 7.0
libvncserver_project libvncserver *
canonical ubuntu_linux 16.04
debian debian_linux 7.0
debian debian_linux 8.0
redhat enterprise_linux_server_tus 7.6
canonical ubuntu_linux 14.04
redhat enterprise_linux_server_eus 7.6
redhat enterprise_linux_desktop 7.0
redhat enterprise_linux_server_eus 7.5
CVE-2020-14399 MEDIUM

An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
debian debian_linux 8.0
opensuse leap 15.2
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 18.04
libvncserver_project libvncserver *
opensuse leap 15.1
canonical ubuntu_linux 16.04
CVE-2020-14400 MEDIUM

An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
debian debian_linux 8.0
opensuse leap 15.2
canonical ubuntu_linux 20.04
debian debian_linux 9.0
canonical ubuntu_linux 18.04
libvncserver_project libvncserver *
opensuse leap 15.1
canonical ubuntu_linux 16.04
CVE-2020-14401 MEDIUM

An issue was discovered in LibVNCServer before 0.9.13. libvncserver/scale.c has a pixel_value integer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-190,

Products Affected

Vendor Product Version
debian debian_linux 8.0
opensuse leap 15.2
siemens simatic_itc1900_pro_firmware *
siemens simatic_itc2200_pro_firmware *
debian debian_linux 9.0
siemens simatic_itc1500_firmware *
siemens simatic_itc1500_pro_firmware *
libvncserver_project libvncserver *
opensuse leap 15.1
siemens simatic_itc1900_firmware *
siemens simatic_itc2200_firmware *
CVE-2020-25708 MEDIUM

A divide by zero issue was found to occur in libvncserver-0.9.12. A malicious client could use this flaw to send a specially crafted message that, when processed by the VNC server, would lead to a floating point exception, resulting in a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-369,CWE-369,

Products Affected

Vendor Product Version
libvncserver_project libvncserver 0.9.12
redhat enterprise_linux 7.0
redhat enterprise_linux 6.0
redhat enterprise_linux 8.0
debian debian_linux 10.0
CVE-2020-29260

libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
debian debian_linux 10.0
libvncserver_project libvncserver 0.9.13
CVE-2026-32853

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

Products Affected

Vendor Product Version
libvncserver_project libvncserver *
CVE-2026-32854

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.

Products Affected

Vendor Product Version
libvncserver_project libvncserver *