Fluid Attacks Database

Description

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rpm rhel6	libvncserver	-	-
rpm rhel8	libvncserver	-	-
rpm rhel9	gnome-remote-desktop	-	-
debian 12	libvncserver	=0.9.14+dfsg-1 \|\| >=0 <0.9.14+dfsg-1+deb12u1	0.9.14+dfsg-1+deb12u1
debian 11	libvncserver	=0.9.13+dfsg-2 \|\| =0.9.13+dfsg-2+deb11u1 \|\| =0.9.13+dfsg-3 \|\| =0.9.13+dfsg-4 \|\| =0.9.13+dfsg-5 \|\| =0.9.14+dfsg-1 \|\| =0.9.15+dfsg-1 \|\| =0.9.15+dfsg-2 \|\| =0.9.15+dfsg-3 \|\| =0.9.15+dfsg-4	-
debian 13	libvncserver	=0.9.15+dfsg-1 \|\| >=0 <0.9.15+dfsg-1+deb13u1	0.9.15+dfsg-1+deb13u1
debian 14	libvncserver	=0.9.15+dfsg-1 \|\| =0.9.15+dfsg-2 \|\| >=0 <0.9.15+dfsg-3	0.9.15+dfsg-3

Aliases

1. CVE-2026-328532. NVD-2026-328533. OSV-2026-328534. OSV-DEBIAN-2026-328535. SECURITY-TRACKER-CVE-2026-32853

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.