Description
In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.
Published: 2026-03-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure and Denial of Service
Action: Patch Now
AI Analysis

Impact

A flaw in TigerVNC’s x0vncserver component, present before version 1.16.2, permits any other local user on the same system to view or alter the server’s screen content and, in some cases, trigger a crash. This results in unauthorized data exposure, potential tampering with displayed information, and disruption of service. The underlying weakness stems from improper authorization and incorrect file permissions (CWE‑279 and CWE‑732).

Affected Systems

The vulnerability affects TigerVNC, specifically versions earlier than 1.16.2. Users running any of those earlier releases on a multi‑user machine are at risk. Upgrading to 1.16.2 or later eliminates the issue.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity, but the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread. The vulnerability is local; an attacker must be a separate user account on the same host and exploit the permissive executable permissions of x0vncserver. No remote exploitation vector is reported, and the flaw is not listed in the CISA KeV catalog, reducing the immediacy of known attacks but still requiring mitigation due to its high impact if a local attacker gains access.

Generated by OpenCVE AI on April 2, 2026 at 22:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TigerVNC to version 1.16.2 or later, which contains the fix for the permission issue.
  • If an immediate update is not possible, restrict the execute permissions on the x0vncserver binary and any related files so that only trusted users or groups can access them.
  • Ensure that users who should not use the VNC server are not members of the group that has permission to run the binary.
  • Monitor system logs for anomalous VNC activity and consider disabling the x0vncserver feature if it is not required.

Generated by OpenCVE AI on April 2, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tigervnc:tigervnc:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Permission Misconfiguration Allows Unauthorized Access to Screen Content in TigerVNC TigerVNC: x0vncserver: TigerVNC x0vncserver: Information disclosure, data manipulation, and denial of service via incorrect permissions
Weaknesses CWE-279
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Permission Misconfiguration Allows Unauthorized Access to Screen Content in TigerVNC

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Tigervnc
Tigervnc tigervnc
Vendors & Products Tigervnc
Tigervnc tigervnc

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Tigervnc Tigervnc
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T13:53:48.564Z

Reserved: 2026-03-26T22:30:46.508Z

Link: CVE-2026-34352

cve-icon Vulnrichment

Updated: 2026-03-27T13:28:53.233Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T23:16:20.903

Modified: 2026-04-02T20:16:16.010

Link: CVE-2026-34352

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T22:30:46Z

Links: CVE-2026-34352 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:46Z

Weaknesses