CVE-2026-32853

CVSS v3.1

8.1

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Name of the Vulnerable Software and Affected Versions LibVNCServer versions prior to commit 009008e LibVNCServer version 0.9.15

Description The software contains a heap out-of-bounds read issue in the UltraZip encoding handler. A malicious VNC server can exploit this to cause information disclosure or application crash. The issue is due to improper bounds checking in the HandleUltraZipBPP() function. Attackers can manipulate subrectangle header counts to read beyond the allocated heap buffer.

Recommendations Update to a version after commit 009008e.

Exploit

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

CVE-2026-32853

OESA-2026-2252

OESA-2026-2253

OESA-2026-2254

OESA-2026-2255

OPENSUSE-SU-2026:10433-1

OPENSUSE-SU-2026:20552-1

SUSE-SU-2026:1124-1

SUSE-SU-2026:1173-1

SUSE-SU-2026:1174-1

SUSE-SU-2026:21206-1

Affected Products

Libvncserver

CVE-2026-32853

Weakness Enumeration

Related Identifiers

Affected Products

References · 32