Source: libvncserver Version: 0.9.15+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libvncserver. CVE-2026-32854[0]: | LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) | contain null pointer dereference vulnerabilities in the HTTP proxy | handlers within httpProcessInput() in httpd.c that allow remote | attackers to cause a denial of service by sending specially crafted | HTTP requests. Attackers can exploit missing validation of strchr() | return values in the CONNECT and GET proxy handling paths to trigger | null pointer dereferences and crash the server when httpd and proxy | features are enabled. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-32854 https://www.cve.org/CVERecord?id=CVE-2026-32854 [1] https://github.com/LibVNC/libvncserver/security/advisories/GHSA-xjp8-4qqv-5x4x [2] https://github.com/LibVNC/libvncserver/commit/dc78dee51a7e270e537a541a17befdf2073f5314 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
