2450845 – (CVE-2026-32854) CVE-2026-32854 LibVNCServer: LibVNCServer: Denial of Service via specially crafted HTTP requests

Bug 2450845 (CVE-2026-32854) - CVE-2026-32854 LibVNCServer: LibVNCServer: Denial of Service via specially crafted HTTP requests

Summary: CVE-2026-32854 LibVNCServer: LibVNCServer: Denial of Service via specially cr...

Keywords:
Status:	NEW
Alias:	CVE-2026-32854
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2450888 2450889
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-24 18:02 UTC by OSIDB Bzimport
Modified:	2026-03-24 20:01 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-24 18:02:14 UTC

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.

Note You need to log in before you can comment on or make changes to this bug.