Stack Use-After-Return Vulnerability in TigerVNC
CVE-2019-15691

7.2HIGH

Key Information:

Vendor
Kaspersky
Status
Tigervnc
Vendor
CVE Published:
26 December 2019

Summary

TigerVNC versions prior to 1.10.1 are affected by a stack use-after-return vulnerability due to improper handling of stack memory in the ZRLEDecoder. When the decoding routine encounters an exception, it may attempt to access a stack variable that has already been deallocated during stack unwinding. This flaw could allow an attacker to execute arbitrary code remotely, especially if exploited over a network connection.

Affected Version(s)

TigerVNC 1.10.0

References

https://github.com/CendioOssman/tigervnc/commit/d61a767d6...
x_refsource_MISC
https://github.com/TigerVNC/tigervnc/releases/tag/v1.10.1
x_refsource_MISC
https://www.openwall.com/lists/oss-security/2019/12/20/2
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.