Home / Vulnerability Intelligence / CVE-2026-32853

CVE-2026-32853 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 25, 2026

LibVNCServer - Out of Bounds Read

Published: March 24, 2026Updated: March 25, 2026PoC AvailableRemote Exploitable

Overview

LibVNCServer <= 0.9.15 contains a heap out-of-bounds read vulnerability caused by improper bounds checking in the UltraZip encoding handler's HandleUltraZipBPP() function, letting malicious VNC servers cause information disclosure or application crash, exploit requires attacker to control VNC server.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Malicious VNC servers can cause information disclosure or application crash, potentially disrupting client applications.

Mitigation

Update to the version including commit 009008e or later.

References

https://www.vulncheck.com/advisories/libvncserver-ultrazip-encoding-heap-out-of-bounds-read
https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931
https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32853
Severity: High
CVSS Score: 8.1
Type: out_of_bounds_rw
Status: confirmed

CWE

CWE-125

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H