Hi Sven, On Mon, Jun 15, 2026 at 10:23:52AM +0200, Sven Geuer wrote: > X-Debbugs-Cc: [email protected], Debian Security Team > <[email protected]> > > On Sat, 2026-05-30 at 09:42 +0200, Salvatore Bonaccorso wrote: > > Source: libvncserver > > Version: 0.9.15+dfsg-4 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team > > <[email protected]> > > > > GHSA-v9pm-47h4-jcq8 (no CVE yet) describes: > > Attacker-controlled heap out-of-bounds write in libvncclient Tight > > decoder: > > > A malicious (or man-in-the-middle) VNC server can force a connecting > > > libvncclient to write attacker-controlled data past the end of its > > > framebuffer. This is an out-of-bounds heap write with attacker- > > > controlled length, contents, and offset. It needs no authentication > > > (the attacker is the server), works in a default build with default > > > settings, and fires from a single FramebufferUpdate the moment the > > > victim connects. It crashes any client unconditionally (denial of > > > service); we also demonstrated it overwriting an application callback > > > pointer and redirecting execution to attacker-chosen code (code > > > execution) under the default configuration. > > https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8 > > In the security advisory [1] upstream meanwhile lists CVE-2026-50538 as > CVE ID of this issue, while there is still no CVE record available from > cve.org [2]. Hence, I wonder whether or not one should already > reference this CVE ID with fixing this bug. > > What is the Security Team's position in that regard?
Given it is a github hosted project for which Github is a CNA, and the CVE appeared in the GHSA, I'm inclined to associate it yes. I updated the tracker entry already to make the link. Regards, Salvatore
