CVE-2026-32854

Source
https://cve.org/CVERecord?id=CVE-2026-32854
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32854.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32854
Aliases
  • GHSA-xjp8-4qqv-5x4x
Downstream
Related
Published
2026-03-24T17:31:32.011Z
Modified
2026-07-08T08:13:01.899512Z
Severity
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
LibVNCServer httpd proxy NULL Pointer Dereference
Details

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32854.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-476"
    ]
}
References

Affected packages

Git / github.com/libvnc/libvncserver

Affected ranges

Type
GIT
Repo
https://github.com/libvnc/libvncserver
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:libvncserver_project:libvncserver:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.9.15"
        }
    ]
}

Affected versions

LibVNCServer-0.*
LibVNCServer-0.9.10
LibVNCServer-0.9.11
LibVNCServer-0.9.12
LibVNCServer-0.9.13
LibVNCServer-0.9.14
LibVNCServer-0.9.15
LibVNCServer-0.9.8
LibVNCServer-0.9.9
Other
X11VNC_0_9_10
X11VNC_0_9_11
X11VNC_0_9_12
X11VNC_0_9_7
X11VNC_0_9_8
X11VNC_0_9_9
X11VNC_REL_0_9_4
X11VNC_REL_0_9_5
X11VNC_REL_0_9_6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32854.json"