Description
Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.
Published: 2026-05-11
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack buffer overflow occurs in Neat VNC's RSA‑AES security type handler when an unauthenticated remote client sends an oversized RSA public key during the handshake. The overflow corrupts a 1024‑byte on‑stack buffer while encrypting the server challenge, causing the server to crash. The description indicates at least a denial of service, and because the overflow takes place before any authentication, a malicious actor could potentially elevate the vulnerability to arbitrary code execution, although this is not explicitly confirmed in the announcement.

Affected Systems

The Neat VNC library, produced by any1, is affected for all releases prior to version 0.9.6. The issue exists in the RSA-AES and RSA-AES‑256 protocols; any installation deploying these security types before the 0.9.6 update is vulnerable.

Risk and Exploitability

This flaw carries a CVSS score of 8.1, and it is currently not listed in the CISA KEV catalog. The EPSS score is unavailable, but the lack of a required authentication makes it highly actionable. An attacker who can reach the VNC listening socket can simply craft a malicious handshake message containing an oversized key, trigger the overflow, and crash the server, which is a straightforward exploit path with no privilege escalation needed on the client side.

Generated by OpenCVE AI on May 11, 2026 at 19:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Neat VNC release (0.9.6 or newer) to fix the buffer overflow.
  • If upgrading is not possible immediately, reconfigure the VNC server to disable RSA‑AES and RSA‑AES‑256 security types so the vulnerable code path is never exercised.
  • Restrict network access to the VNC listening port using firewalls or host‑based controls to limit exposure to trusted hosts.

Generated by OpenCVE AI on May 11, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Any1
Any1 neatvnc
Vendors & Products Any1
Any1 neatvnc

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.
Title Neat VNC: Buffer overflow due to oversized RSA public keys
Weaknesses CWE-120
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Any1 Neatvnc
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:22:03.144Z

Reserved: 2026-04-30T16:44:48.379Z

Link: CVE-2026-42859

cve-icon Vulnrichment

Updated: 2026-05-11T18:21:49.508Z

cve-icon NVD

Status : Received

Published: 2026-05-11T18:16:36.400

Modified: 2026-05-11T18:16:36.400

Link: CVE-2026-42859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:30:06Z

Weaknesses