CVE-2026-32853

HighPublic PoC

Published: 24 March 2026

Published

24 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

EPSS Score 0.0006 18.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32853 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Libvncserver Project Libvncserver. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly mitigates this vulnerability by applying the vendor patch (commit 009008e) to LibVNCServer, eliminating the heap out-of-bounds read.

SI-10 Information Input Validation good match

prevent

Information input validation enforces proper bounds checking on VNC protocol subrectangle header counts, preventing reads beyond allocated heap buffers.

SI-16 Memory Protection partial match

prevent

Memory protection mechanisms like ASLR and DEP mitigate the impact of heap out-of-bounds reads by randomizing addresses and restricting unauthorized memory access.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

Why these techniques?

OOB read in VNC client library enables heap memory disclosure when connecting to malicious server (T1005); high confidentiality impact supports exploitation for credential access (T1212).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in…

the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

Deeper analysisAI

LibVNCServer versions 0.9.15 and prior contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler. The issue stems from improper bounds checking in the HandleUltraZipBPP() function, where attackers can manipulate subrectangle header counts to read beyond the allocated heap buffer. This affects client applications using the library to connect to VNC servers.

A malicious VNC server can exploit the vulnerability against remote clients with no privileges required, provided the user interacts by connecting to the server. Successful exploitation leads to high-impact information disclosure from heap memory or an application crash, as indicated by the CVSS 3.1 score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H). The flaw is classified under CWE-125 (Out-of-bounds Read).

The vulnerability is fixed in commit 009008e2f4d5a54dd71f422070df3af7b3dbc931, available on the LibVNC/libvncserver GitHub repository. Security advisories from GitHub (GHSA-87q7-v983-qwcj) and VulnCheck recommend updating to the patched version to mitigate the issue.