PatchSiren cyber security CVE debrief

CVE-2017-5885 Fedoraproject CVE debrief

CVE-2017-5885 is a critical memory-safety flaw in gtk-vnc before 0.7.0. A malicious or compromised VNC server can trigger integer overflows in message handling paths, leading to a crash and, in the worst case described by the advisory, possible arbitrary code execution. The issue is tied to SetColorMapEntries processing and buffer overflow conditions, so the main risk is when systems connect to untrusted VNC servers through affected gtk-vnc builds.

Vendor: Fedoraproject
Product: CVE-2017-5885
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-28
Original CVE updated: 2026-05-13
Advisory published: 2017-02-28
Advisory updated: 2026-05-13

Who should care

Administrators, developers, and distribution maintainers using gtk-vnc, especially where clients connect to external or untrusted VNC servers. Fedora package maintainers and users of affected distro builds should also review their patch status.

Technical summary

NVD lists the weakness as CWE-190 (integer overflow) and rates the issue CVSS 3.0 9.8/CRITICAL with AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability affects gtk-vnc versions before 0.7.0 and is described as two integer overflows in vnc_connection_server_message and vnc_color_map_set. Per the record, vectors involving SetColorMapEntries can trigger a buffer overflow, making the flaw remotely reachable from a malicious VNC server.

Defensive priority

High. This is remotely reachable, requires no privileges or user interaction, and is marked critical. Treat exposure to untrusted VNC servers as urgent to remediate.

Recommended defensive actions

Upgrade gtk-vnc to 0.7.0 or later, or apply the vendor/distribution fix referenced in the advisories.
Check downstream package advisories and rebuilds, including Red Hat and Fedora references, to confirm the patched build is installed.
Inventory applications and systems that use gtk-vnc so you can identify exposed clients.
Restrict or avoid connections to untrusted VNC servers until remediation is complete.
Verify remediation by confirming the installed package version is outside the affected range and matches the fixed advisory for your platform.

Evidence notes

The source corpus identifies gtk-vnc versions before 0.7.0 as affected and includes upstream and downstream references: oss-security posts, GNOME Bugzilla issue 778050, an upstream gtk-vnc commit, Red Hat errata RHSA-2017:2258, and a Fedora package announcement. NVD’s record also lists Fedora 25 and gtk-vnc CPEs and classifies the weakness as CWE-190. Timing context: the CVE was published on 2017-02-28, with upstream discussion references from 2017-02-03 and 2017-02-05.

Official resources

CVE-2017-5885 CVE record
CVE.org
CVE-2017-5885 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Vendor Advisory
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch, Vendor Advisory
Source reference
[email protected]

Publicly disclosed in February 2017; the CVE record was published on 2017-02-28. NVD’s record was later modified on 2026-05-13, which should not be treated as the issue date.