CVE-2020-29260
published 2022-09-02CVE-2020-29260: libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().
PriorityP433high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.91%
55.6th percentile
libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | libvncserver | < libvncserver 0.9.13+dfsg-5 (bookworm) | libvncserver 0.9.13+dfsg-5 (bookworm) |
| libvncserver_project | libvncserver | — | — |
| libvncserver_project | libvncserver | >= 0 < 0.9.13+dfsg-2+deb11u1 | 0.9.13+dfsg-2+deb11u1 |
| libvncserver_project | libvncserver | >= 0 < 0.9.13+dfsg-5 | 0.9.13+dfsg-5 |
| libvncserver_project | libvncserver | >= 0 < 0.9.13+dfsg-5 | 0.9.13+dfsg-5 |
| libvncserver_project | libvncserver | >= 0 < 0.9.13+dfsg-5 | 0.9.13+dfsg-5 |
| ubuntu | libvncserver | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibVNCServer vulnerabilities
vendor_ubuntu·2026-06-23·CVSS 7.5
CVE-2020-29260 [HIGH] LibVNCServer vulnerabilities
Title: LibVNCServer vulnerabilities
Summary: Several security issues were fixed in LibVNCServer.
It was discovered that LibVNCServer had a memory leak in the client cleanup
function. An attacker could possibly use this issue to cause LibVNCServer
to consume memory, leading to a denial of service. This issue only affected
Ubuntu 22.04 LTS. (CVE-2020-29260)
It was discovered that LibVNCServer did not properly validate bounds when
handling UltraZip encoding subrectangles. A remote attacker could possibly
use this issue to obtain sensitive information or cause a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and
Ubuntu 25.04. (CVE-2026-32853)
It was discovered that LibVNCServer did not properly validate return values
in the HTTP proxy handlers. A remote att
Red Hat
libvncserver: a memory leak via the function rfbClientCleanup() may lead to a DoS
vendor_redhat·2022-09-03·CVSS 7.5
CVE-2020-29260 [HIGH] CWE-401 libvncserver: a memory leak via the function rfbClientCleanup() may lead to a DoS
libvncserver: a memory leak via the function rfbClientCleanup() may lead to a DoS
libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().
A flaw was found in the libvncserver library. A memory leak in the rfbClientCleanup() function may allow a remote attacker to cause a denial of service.
Package: libvncserver (Red Hat Enterprise Linux 6) - Affected
Package: libvncserver (Red Hat Enterprise Linux 7) - Will not fix
Package: libvncserver (Red Hat Enterprise Linux 8) - Will not fix
Debian
CVE-2020-29260: libvncserver - libvncclient v0.9.13 was discovered to contain a memory leak via the function rf...
vendor_debian·2020·CVSS 7.5
CVE-2020-29260 [HIGH] CVE-2020-29260: libvncserver - libvncclient v0.9.13 was discovered to contain a memory leak via the function rf...
libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().
Scope: local
bookworm: resolved (fixed in 0.9.13+dfsg-5)
bullseye: resolved (fixed in 0.9.13+dfsg-2+deb11u1)
forky: resolved (fixed in 0.9.13+dfsg-5)
sid: resolved (fixed in 0.9.13+dfsg-5)
trixie: resolved (fixed in 0.9.13+dfsg-5)
GHSA
GHSA-mgvc-cjfr-fjf4: libvncclient v0
ghsa_unreviewed·2022-09-03
CVE-2020-29260 [HIGH] CWE-400 GHSA-mgvc-cjfr-fjf4: libvncclient v0
libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().
OSV
CVE-2020-29260: libvncclient v0
osv·2022-09-02·CVSS 7.5
CVE-2020-29260 [HIGH] CVE-2020-29260: libvncclient v0
libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/LibVNC/libvncserver/commit/bef41f6ec4097a8ee094f90a1b34a708fbd757echttps://lists.debian.org/debian-lts-announce/2022/09/msg00035.htmlhttps://github.com/LibVNC/libvncserver/commit/bef41f6ec4097a8ee094f90a1b34a708fbd757echttps://lists.debian.org/debian-lts-announce/2022/09/msg00035.html
2022-09-02
Published