CVE-2026-32854

NameCVE-2026-32854
DescriptionLibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1132017

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libvncserver (PTS)bullseye0.9.13+dfsg-2+deb11u1vulnerable
bookworm0.9.14+dfsg-1vulnerable
trixie0.9.15+dfsg-1vulnerable
forky, sid0.9.15+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libvncserversource(unstable)0.9.15+dfsg-31132017

Notes

https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x
Fixed by: https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314
Search for package or bug name: Reporting problems