CVE-2026-32853
published 2026-03-24CVE-2026-32853: LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a…
PriorityP340high8.1CVSS 3.1
AVNACLPRNUIRSUCHINAH
EPSS
0.44%
35.0th percentile
LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libvncserver | < libvncserver 0.9.15+dfsg-3 (forky) | libvncserver 0.9.15+dfsg-3 (forky) |
| libvnc | libvncserver | <= 0.9.15 | — |
| libvncserver_project | libvncserver | < 0.9.15 | 0.9.15 |
| libvncserver_project | libvncserver | >= 0 < 0.9.15+dfsg-3 | 0.9.15+dfsg-3 |
| ubuntu | libvncserver | — | — |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_ubuntu7.5HIGH
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
LibVNCServer vulnerabilities
vendor_ubuntu·2026-06-23·CVSS 7.5
CVE-2020-29260 [HIGH] LibVNCServer vulnerabilities
Title: LibVNCServer vulnerabilities
Summary: Several security issues were fixed in LibVNCServer.
It was discovered that LibVNCServer had a memory leak in the client cleanup
function. An attacker could possibly use this issue to cause LibVNCServer
to consume memory, leading to a denial of service. This issue only affected
Ubuntu 22.04 LTS. (CVE-2020-29260)
It was discovered that LibVNCServer did not properly validate bounds when
handling UltraZip encoding subrectangles. A remote attacker could possibly
use this issue to obtain sensitive information or cause a denial of
service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 24.04 LTS, and
Ubuntu 25.04. (CVE-2026-32853)
It was discovered that LibVNCServer did not properly validate return values
in the HTTP proxy handlers. A remote att
Red Hat
LibVNCServer: LibVNCServer: Information disclosure or Denial of Service via heap out-of-bounds read in UltraZip encoding
vendor_redhat·2026-03-24·CVSS 6.9
CVE-2026-32853 [MEDIUM] CWE-125 LibVNCServer: LibVNCServer: Information disclosure or Denial of Service via heap out-of-bounds read in UltraZip encoding
LibVNCServer: LibVNCServer: Information disclosure or Denial of Service via heap out-of-bounds read in UltraZip encoding
LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.
A flaw was found in LibVNCServer. A malicious VNC server can exploit an improper bounds checking vulnerability in the UltraZip encoding handler, specifically within the `HandleUltraZipBPP()` function. By manipulating subrectangle header counts, an attacker can read beyond t
Debian
CVE-2026-32853: libvncserver - LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap ...
vendor_debian·2026·CVSS 6.9
CVE-2026-32853 [MEDIUM] CVE-2026-32853: libvncserver - LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap ...
LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 0.9.15+dfsg-3)
sid: resolved (fixed in 0.9.15+dfsg-3)
trixie: open
OSV
CVE-2026-32853: LibVNCServer versions 0
osv·2026-03-24·CVSS 6.9
CVE-2026-32853 [MEDIUM] CVE-2026-32853: LibVNCServer versions 0
LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-32853 libvncserver: LibVNCServer: Information disclosure or Denial of Service via heap out-of-bounds read in UltraZip encoding [fedora-all]
bugzilla·2026-03-24·CVSS 8.1
CVE-2026-32853 [HIGH] CVE-2026-32853 libvncserver: LibVNCServer: Information disclosure or Denial of Service via heap out-of-bounds read in UltraZip encoding [fedora-all]
CVE-2026-32853 libvncserver: LibVNCServer: Information disclosure or Denial of Service via heap out-of-bounds read in UltraZip encoding [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This bug is already fixed in a published Bodhi update: libvncserver-0.9.15-8.fc45
Wiz
CVE-2026-32853 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-32853 [MEDIUM] CVE-2026-32853 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32853 :
NixOS vulnerability analysis and mitigation
LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.
Source : NVD
## 6.9
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
NixOS
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected package
https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcjhttps://www.vulncheck.com/advisories/libvncserver-ultrazip-encoding-heap-out-of-bounds-readhttps://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj
2026-03-24
Published