Stack Buffer Overflow in Neat VNC Server Library Affects Multiple Versions
CVE-2026-42859

8.1HIGH

Key Information:

Vendor: Any1
Status: Neatvnc
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-42859?

A pre-authentication stack buffer overflow vulnerability has been identified in the Neat VNC server library. This vulnerability allows an unauthenticated remote attacker to exploit the VNC listening socket by sending a specially crafted RSA-AES or RSA-AES-256 handshake using an oversized client RSA public key. As a result, this leads to an overflow of a 1024-byte on-stack buffer within the rsa_aes_send_challenge function, potentially causing a denial of service through server crashes. Users are strongly advised to upgrade to version 0.9.6 to mitigate this risk.

Affected Version(s)

neatvnc < 0.9.6

References

https://github.com/any1/neatvnc/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/any1/neatvnc/commit/1f6cd6b75cc167fed3...

x_refsource_MISC

CVSS V4

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42859 Data

JSON

Any1

What is CVE-2026-42859?

Affected Version(s)

References

CVSS V4

Timeline