Null Pointer Dereference Vulnerability in LibVNCServer by LibVNC
CVE-2026-32854

6.3MEDIUM

Key Information:

Vendor: Libvnc
Status: Libvncserver
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-32854?

The LibVNCServer versions 0.9.15 and earlier possess a null pointer dereference vulnerability in the HTTP proxy handlers located within the httpProcessInput() method. This flaw allows remote attackers to craft specific HTTP requests that exploit inadequate validation of the return values from strchr(). When the httpd and proxy functionalities are enabled, this oversight can induce a denial of service attack, potentially crashing the server. The issue has been addressed in a patch, emphasizing the importance of updating to secure versions.

Affected Version(s)

LibVNCServer 0 <= 0.9.15

LibVNCServer dc78dee51a7e270e537a541a17befdf2073f5314

References

https://github.com/LibVNC/libvncserver/security/advisorie...

vendor-advisory

https://github.com/LibVNC/libvncserver/commit/dc78dee51a7...

patch

https://www.vulncheck.com/advisories/libvncserver-httpd-p...

third-party-advisory

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 16, 2026

Credit

Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc.

CVE-2026-32854 Data

JSON

Libvnc

What is CVE-2026-32854?

Affected Version(s)

References

CVSS V4

Timeline

Credit