{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32854", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-16T18:11:41.759Z", "datePublished": "2026-03-24T17:31:32.011Z", "dateUpdated": "2026-03-24T17:31:32.011Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-24T17:31:32.011Z"}, "title": "LibVNCServer httpd proxy NULL Pointer Dereference", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-476", "description": "CWE-476 NULL pointer dereference", "type": "CWE"}]}], "affected": [{"vendor": "LibVNC", "product": "LibVNCServer", "repo": "https://github.com/LibVNC/libvncserver", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "0.9.15", "versionType": "semver"}, {"status": "unaffected", "version": "dc78dee51a7e270e537a541a17befdf2073f5314", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "LibVNCServer versions 0.9.15 and prior (fixed in\u00a0commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "LibVNCServer versions 0.9.15 and prior (fixed in&nbsp;commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.<br>"}]}], "references": [{"url": "https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x", "tags": ["vendor-advisory"]}, {"url": "https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/libvncserver-httpd-proxy-null-pointer-dereference", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:libvncserver_project:libvncserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "A73C0099-80A6-4B55-8B34-7968BFADE90A", "versionEndExcluding": "0.9.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LibVNCServer versions 0.9.15 and prior (fixed in\u00a0commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled."}], "id": "CVE-2026-32854", "lastModified": "2026-03-25T21:57:20.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-24T18:16:09.423", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/libvncserver-httpd-proxy-null-pointer-dereference"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{"bugzilla": {"description": "LibVNCServer: LibVNCServer: Denial of Service via specially crafted HTTP requests", "id": "2450845", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450845"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in LibVNCServer. This vulnerability allows a remote attacker to cause a Denial of Service (DoS) by sending specially crafted HTTP requests. The flaw exists in the HTTP proxy handlers, where missing validation of certain return values can lead to a null pointer dereference, causing the server to crash. This impacts the availability of the server when HTTPD and proxy features are enabled."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32854", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "libvncserver", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "libvncserver", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libvncserver", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "gnome-remote-desktop", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T17:31:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32854\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32854\nhttps://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314\nhttps://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x\nhttps://www.vulncheck.com/advisories/libvncserver-httpd-proxy-null-pointer-dereference"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.9.15]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "dc78dee51a7e270e537a541a17befdf2073f5314"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 86.0, "source": "matching"}]}, "original": {"product": "LibVNCServer", "source": "cna", "vendor": "LibVNC"}, "product": "libvncserver", "vendor": "libvncserver"}], "analysis": {"en": {"generated_at": "2026-03-24T18:51:01.977314+00:00", "value": {"mitigation_remediation": ["Upgrade LibVNCServer to a release newer than commit dc78dee, which eliminates the null pointer dereference.", "Disable the HTTP daemon and proxy features if they are not required for your deployment.", "If an immediate update is not possible, block or restrict HTTP proxy traffic at the network perimeter to prevent remote exploitation."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the LibVNCServer project, specifically all releases up to and including version 0.9.15. The issue manifests when the HTTP daemon and proxy features are enabled, allowing external users to communicate through the proxy interface.", "description_and_impact": "LibVNCServer versions 0.9.15 and earlier contain a null pointer dereference in the httpProcessInput() function within the HTTP proxy handlers. When an attacker sends specially crafted HTTP requests that bypass proper validation of strchr() return values in the CONNECT and GET proxy paths, the server dereferences a null pointer and crashes. The crash produces a denial\u2011of\u2011service condition, preventing legitimate users from accessing the VNC server until it is restarted.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited known exploitation. However, the flaw can be triggered remotely over HTTP by anyone who can reach the VNC server\u2019s proxy interface. An attacker can cause a server crash without requiring local privileges, resulting in downtime that could impact business continuity if the service is critical. Prompt remediation is advised."}}}}, "created": "2026-03-25T11:46:55.667015+00:00", "updated": "2026-03-25T20:49:41.570519+00:00", "vendors": ["libvncserver", "libvncserver$PRODUCT$libvncserver"]}