DEBIAN-CVE-2026-32853

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-32853

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32853.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-32853

Upstream

CVE-2026-32853

Published

2026-03-24T18:16:09.253Z

Modified

2026-04-06T04:00:22.571305Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H CVSS Calculator

Summary

[none]

Details

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

References

https://security-tracker.debian.org/tracker/CVE-2026-32853

Affected packages

Debian:11 / libvncserver

Package

Name: libvncserver
Purl: pkg:deb/debian/libvncserver?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.13+dfsg-2

0.9.13+dfsg-2+deb11u1

0.9.13+dfsg-3

0.9.13+dfsg-4

0.9.13+dfsg-5

0.9.14+dfsg-1

0.9.15+dfsg-1

0.9.15+dfsg-2

0.9.15+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32853.json"

Debian:12 / libvncserver

Package

Name: libvncserver
Purl: pkg:deb/debian/libvncserver?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.14+dfsg-1

0.9.15+dfsg-1

0.9.15+dfsg-2

0.9.15+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32853.json"

Debian:13 / libvncserver

Package

Name: libvncserver
Purl: pkg:deb/debian/libvncserver?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9.15+dfsg-1

0.9.15+dfsg-2

0.9.15+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32853.json"

Debian:14 / libvncserver

Package

Name: libvncserver
Purl: pkg:deb/debian/libvncserver?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.9.15+dfsg-3

Affected versions

0.*

0.9.15+dfsg-1

0.9.15+dfsg-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32853.json"