Debian Libvncserver vulnerabilities

CVE-2026-32853 [MEDIUM] CVE-2026-32853: libvncserver - LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap ... LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts

CVE-2026-32854 [MEDIUM] CVE-2026-32854: libvncserver - LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null po... LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT

CVE-2020-14397 [HIGH] CVE-2020-14397: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rfbregion.c ... An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rfbregion.c has a NULL pointer dereference. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1)

CVE-2020-25708 [HIGH] CVE-2020-25708: libvncserver - A divide by zero issue was found to occur in libvncserver-0.9.12. A malicious cl... A divide by zero issue was found to occur in libvncserver-0.9.12. A malicious client could use this flaw to send a specially crafted message that, when processed by the VNC server, would lead to a floating point exception, resulting in a denial of service. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky

CVE-2020-14399 [HIGH] CVE-2020-14399: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is acce... An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.

CVE-2020-14398 [HIGH] CVE-2020-14398: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. An improperly closed TCP ... An issue was discovered in LibVNCServer before 0.9.13. An improperly closed TCP connection causes an infinite loop in libvncclient/sockets.c. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1

CVE-2020-14396 [HIGH] CVE-2020-14396: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. libvncclient/tls_openssl.... An issue was discovered in LibVNCServer before 0.9.13. libvncclient/tls_openssl.c has a NULL pointer dereference. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1)

CVE-2020-14400 [HIGH] CVE-2020-14400: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is acce... An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9

CVE-2020-29260 [HIGH] CVE-2020-29260: libvncserver - libvncclient v0.9.13 was discovered to contain a memory leak via the function rf... libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup(). Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-5) bullseye: resolved (fixed in 0.9.13+dfsg-2+deb11u1) forky: resolved (fixed in 0.9.13+dfsg-5) sid: resolved (fixed in 0.9.13+dfsg-5) trixie: resolved (fixed in 0.9.13+dfsg-5)

CVE-2020-14405 [MEDIUM] CVE-2020-14405: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. libvncclient/rfbproto.c d... An issue was discovered in LibVNCServer before 0.9.13. libvncclient/rfbproto.c does not limit TextChat size. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1)

CVE-2020-14402 [MEDIUM] CVE-2020-14402: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. libvncserver/corre.c allo... An issue was discovered in LibVNCServer before 0.9.13. libvncserver/corre.c allows out-of-bounds access via encodings. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1)

CVE-2020-14403 [MEDIUM] CVE-2020-14403: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. libvncserver/hextile.c al... An issue was discovered in LibVNCServer before 0.9.13. libvncserver/hextile.c allows out-of-bounds access via encodings. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1)

CVE-2020-14401 [MEDIUM] CVE-2020-14401: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. libvncserver/scale.c has ... An issue was discovered in LibVNCServer before 0.9.13. libvncserver/scale.c has a pixel_value integer overflow. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1)

CVE-2020-14404 [MEDIUM] CVE-2020-14404: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rre.c allows... An issue was discovered in LibVNCServer before 0.9.13. libvncserver/rre.c allows out-of-bounds access via encodings. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1)

CVE-2019-15690 [HIGH] CVE-2019-15690: libvncserver - LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerabil... LibVNCServer 0.9.12 release and earlier contains heap buffer overflow vulnerability within the HandleCursorShape() function in libvncclient/cursor.c. An attacker sends cursor shapes with specially crafted dimensions, which can result in remote code execution. Scope: local bookworm: resolved (fixed in 0.9.12+dfsg-9) bullseye: resolved (fixed in 0.9.12+dfsg-9) fo

CVE-2019-20839 [HIGH] CVE-2019-20839: libvncserver - libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer overflow via a... libvncclient/sockets.c in LibVNCServer before 0.9.13 has a buffer overflow via a long socket filename. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9.13+dfsg-1)

CVE-2019-20840 [HIGH] CVE-2019-20840: libvncserver - An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws_decode.c ... An issue was discovered in LibVNCServer before 0.9.13. libvncserver/ws_decode.c can lead to a crash because of unaligned accesses in hybiReadAndDecode. Scope: local bookworm: resolved (fixed in 0.9.13+dfsg-1) bullseye: resolved (fixed in 0.9.13+dfsg-1) forky: resolved (fixed in 0.9.13+dfsg-1) sid: resolved (fixed in 0.9.13+dfsg-1) trixie: resolved (fixed in 0.9

CVE-2019-20788 [HIGH] CVE-2019-20788: libvncserver - libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape int... libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690. Scope: local bookworm: resolved (fixed in 0.9.12+dfsg-9) bullseye: resolved (fixed in 0.9.12+dfsg-9) forky: resolved (fixed in 0.9.12+dfsg-9) sid: resolved (fixed i

CVE-2019-15680 [HIGH] CVE-2019-15680: libvncserver - TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP ... TightVNC code version 1.3.10 contains null pointer dereference in HandleZlibBPP function, which results Denial of System (DoS). This attack appear to be exploitable via network connectivity. Scope: local bookworm: open bullseye: open forky: open sid: open trixie: open

CVE-2019-15681 [HIGH] CVE-2019-15681: libvncserver - LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory ... LibVNC commit before d01e1bb4246323ba6fcee3b82ef1faa9b1dac82a contains a memory leak (CWE-655) in VNC server code, which allow an attacker to read stack memory and can be abused for information disclosure. Combined with another vulnerability, it can be used to leak stack memory and bypass ASLR. This attack appear to be exploitable via network connectivity. Thes