Description
In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.
Published: 2026-03-26
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized screen content exposure and potential denial of service
Action: Immediate Patch
AI Analysis

Impact

A misconfigured permission in TigerVNC’s Image.cxx within the x0vncserver module allows local users to view or manipulate the screen contents, or trigger a crash of the application. This vulnerability can lead to confidential information being disclosed or the remote desktop session being disrupted, thereby compromising the integrity and availability of the graphical environment.

Affected Systems

The issue affects installations of TigerVNC version 1.16.1 and earlier. Users deploying these versions should verify their current release; upgrading to 1.16.2 or later eliminates the exposed permissions bug.

Risk and Exploitability

The CVSS score of 8.5 indicates a high severity vulnerability. Although no EPSS value is supplied, the exploit requires only local access, meaning any user with the same host privileges could exploit it. The vulnerability is not listed in the CISA KEV catalogue, but its high impact and local nature warrant urgent attention. It is inferred that the attack vector is local via shared memory or file permissions.

Generated by OpenCVE AI on March 27, 2026 at 06:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TigerVNC to version 1.16.2 or later from the official repository or release page.
  • Verify that the installed binary reports the patched version and that the Image.cxx source reflects the security fix.
  • Restrict local access to the Xvnc service by ensuring only authorized users can run the server, for example by setting strict file permissions on the X server socket or by configuring the daemon to run under a dedicated account.

Generated by OpenCVE AI on March 27, 2026 at 06:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Permission Misconfiguration Allows Unauthorized Access to Screen Content in TigerVNC TigerVNC: x0vncserver: TigerVNC x0vncserver: Information disclosure, data manipulation, and denial of service via incorrect permissions
Weaknesses CWE-279
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Permission Misconfiguration Allows Unauthorized Access to Screen Content in TigerVNC

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Tigervnc
Tigervnc tigervnc
Vendors & Products Tigervnc
Tigervnc tigervnc

Fri, 27 Mar 2026 04:00:00 +0000

Type Values Removed Values Added
Description In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.
Weaknesses CWE-732
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L'}

Subscriptions

Tigervnc Tigervnc
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T13:53:48.564Z

Reserved: 2026-03-26T22:30:46.508Z

Link: CVE-2026-34352

cve-icon Vulnrichment

Updated: 2026-03-27T13:28:53.233Z

cve-icon NVD

Status : Received

Published: 2026-03-26T23:16:20.903

Modified: 2026-03-26T23:16:20.903

Link: CVE-2026-34352

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-26T22:30:46Z

Links: CVE-2026-34352 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:56Z

Weaknesses