CVE-2026-32853

NameCVE-2026-32853
DescriptionLibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1132016

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvncserver (PTS)bullseye0.9.13+dfsg-2+deb11u1vulnerable
bookworm0.9.14+dfsg-1vulnerable
trixie0.9.15+dfsg-1vulnerable
forky, sid0.9.15+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvncserversource(unstable)0.9.15+dfsg-31132016

Notes

https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj
Fixed by: https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931
Search for package or bug name: Reporting problems