CVE-2026-34352

Description

In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.

CVSS Details

CVSS Score

8.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:tigervnc:tigervnc:*:*:*:*:*:*:*:* - VULNERABLE

TigerVNC < 1.16.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-34352 (TigerVNC Permission Issue)
This script demonstrates checking for accessible VNC sockets or memory segments
that might be exposed due to incorrect permissions in x0vncserver.
Note: This is a conceptual demonstration based on the vulnerability description.
"""

import os
import glob

def check_vnc_permissions():
    print("[*] Checking for common x0vncserver resources...")
    
    # Check for X11 sockets (often used by x0vncserver)
    x11_socket_dir = "/tmp/.X11-unix"
    if os.path.exists(x11_socket_dir):
        print(f"[+] Found X11 socket directory: {x11_socket_dir}")
        for socket in glob.glob(os.path.join(x11_socket_dir, "X*")):
            mode = oct(os.stat(socket).st_mode)[-3:]
            print(f"    - Socket: {os.path.basename(socket)} Permissions: {mode}")
            # If world-readable/writable, it might be vulnerable depending on config
            if mode.endswith('6') or mode.endswith('7'):
                print(f"      [!] Potential weak permissions detected on {socket}")

    # Check for potential TigerVNC shared memory segments (Linux)
    # /dev/shm is often used for IPC
    shm_dir = "/dev/shm"
    if os.path.exists(shm_dir):
        print(f"[*] Checking shared memory in {shm_dir}...")
        for item in os.listdir(shm_dir):
            if "vnc" in item.lower() or "x11" in item.lower():
                path = os.path.join(shm_dir, item)
                try:
                    if os.path.isfile(path):
                        mode = oct(os.stat(path).st_mode)[-3:]
                        print(f"    - File: {item} Permissions: {mode}")
                        if mode.endswith('6') or mode.endswith('7'):
                            print(f"      [!] Weak permissions on potential VNC resource: {item}")
                except PermissionError:
                    pass

    print("[!] If weak permissions are found, a local attacker could read screen data or inject input.")

if __name__ == "__main__":
    check_vnc_permissions()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34352
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34352
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34352/
[4] VulDB https://vuldb.com/cve/CVE-2026-34352
[5] https://github.com/TigerVNC/tigervnc/commit/0b5cab169d847789efa54459a87659d3fd484393
[6] https://groups.google.com/g/tigervnc-announce/c/anHL9WLshLI
[7] https://sourceforge.net/projects/tigervnc/files/stable/1.16.2
[8] https://www.openwall.com/lists/oss-security/2026/03/26/7

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34352", "sourceIdentifier": "[email protected]", "published": "2026-03-26T23:16:20.903", "lastModified": "2026-04-02T20:16:16.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions."}, {"lang": "es", "value": "En TigerVNC anterior a 1.16.2, Image.cxx en x0vncserver permite a otros usuarios observar o manipular el contenido de la pantalla, o causar un fallo de la aplicación, debido a permisos incorrectos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.5, "impactScore": 5.3}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tigervnc:tigervnc:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.16.2", "matchCriteriaId": "A1D26886-0F31-44FB-8112-F07B18A7ACDA"}]}]}], "references": [{"url": "https://github.com/TigerVNC/tigervnc/commit/0b5cab169d847789efa54459a87659d3fd484393", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://groups.google.com/g/tigervnc-announce/c/anHL9WLshLI", "source": "[email protected]", "tags": ["Mailing List", "Patch"]}, {"url": "https://sourceforge.net/projects/tigervnc/files/stable/1.16.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://www.openwall.com/lists/oss-security/2026/03/26/7", "source": "[email protected]", "tags": ["Mailing List", "Third Party Advisory"]}]}}