PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32854 LibVNC CVE debrief

CVE-2026-32854 is a null pointer dereference vulnerability in LibVNCServer versions 0.9.15 and prior. The vulnerability allows remote attackers to cause a denial of service by sending specially crafted HTTP requests to the server when the httpd and proxy features are enabled. This issue is caused by missing validation of strchr() return values in the CONNECT and GET proxy handling paths, leading to null pointer dereferences and server crashes. Users of affected versions should apply patches or mitigations to prevent denial of service attacks.

Vendor
LibVNC
Product
LibVNCServer
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-24
Original CVE updated
2026-07-14
Advisory published
2026-03-24
Advisory updated
2026-07-14

Who should care

Users of LibVNCServer versions 0.9.15 and prior should apply patches or mitigations to prevent denial of service attacks. This includes administrators of systems using LibVNCServer, security teams responsible for vulnerability management, and operators of affected platforms. Implementing network segmentation, monitoring server logs for suspicious HTTP requests, and isolating affected systems can help mitigate the risk.

Technical summary

The vulnerability exists in the HTTP proxy handlers within httpProcessInput() in httpd.c of LibVNCServer. Attackers can exploit this by sending specially crafted HTTP requests, which can trigger null pointer dereferences and crash the server when httpd and proxy features are enabled. The issue arises from the lack of validation of strchr() return values in the CONNECT and GET proxy handling paths. This vulnerability has been fixed in commit dc78dee.

Defensive priority

Medium priority due to CVSS score of 6.3 and potential for denial of service attacks.

Recommended defensive actions

  • Apply patches or updates to LibVNCServer versions 0.9.15 and prior.
  • Disable httpd and proxy features if not required.
  • Monitor server logs for suspicious HTTP requests.
  • Implement network segmentation and isolation to limit attack scope.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record was published on 2026-03-24T18:16:09.423Z and has been modified since then. The NVD entry is currently Analyzed. The vulnerability has been fixed in commit dc78dee. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify affected systems and apply patches or mitigations accordingly.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-03-24T18:16:09.423Z and has been modified since then. The NVD entry is currently Analyzed.