X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
On Sat, 2026-05-30 at 09:42 +0200, Salvatore Bonaccorso wrote: > Source: libvncserver > Version: 0.9.15+dfsg-4 > Severity: important > Tags: security upstream > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > GHSA-v9pm-47h4-jcq8 (no CVE yet) describes: > Attacker-controlled heap out-of-bounds write in libvncclient Tight > decoder: > > A malicious (or man-in-the-middle) VNC server can force a connecting > > libvncclient to write attacker-controlled data past the end of its > > framebuffer. This is an out-of-bounds heap write with attacker- > > controlled length, contents, and offset. It needs no authentication > > (the attacker is the server), works in a default build with default > > settings, and fires from a single FramebufferUpdate the moment the > > victim connects. It crashes any client unconditionally (denial of > > service); we also demonstrated it overwriting an application callback > > pointer and redirecting execution to attacker-chosen code (code > > execution) under the default configuration. > https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8 In the security advisory [1] upstream meanwhile lists CVE-2026-50538 as CVE ID of this issue, while there is still no CVE record available from cve.org [2]. Hence, I wonder whether or not one should already reference this CVE ID with fixing this bug. What is the Security Team's position in that regard? Sven [1] https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8 [2] https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-50538 -- GPG Fingerprint 3DF5 E8AA 43FC 9FDF D086 F195 ADF5 0EDA F8AD D585
signature.asc
Description: This is a digitally signed message part
