Home / Vulnerability Intelligence / CVE-2026-32854

CVE-2026-32854 - Vulnerability Analysis

HighCVSS: 7.5

Last Updated: March 25, 2026

LibVNCServer - Denial of Service

Published: March 24, 2026Updated: March 25, 2026PoC AvailableRemote Exploitable

Overview

LibVNCServer <= 0.9.15 contains a null pointer dereference caused by missing validation of strchr() return values in HTTP proxy handlers in httpd.c, letting remote attackers cause denial of service via crafted HTTP requests, exploit requires httpd and proxy features enabled.

Severity & Score

Severity: High

CVSS Score: 7.5

Impact

Remote attackers can crash the server causing denial of service.

Mitigation

Update to a version including commit dc78dee or later.

References

https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314
https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x
https://www.vulncheck.com/advisories/libvncserver-httpd-proxy-null-pointer-dereference

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32854
Severity: High
CVSS Score: 7.5
Type: null_pointer_dereference
Status: confirmed

CWE

CWE-476

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H