Cyber Resilience

CVE-2026-32854

MediumPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0089 76.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32854 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Libvncserver Project Libvncserver. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

LibVNCServer versions 0.9.15 and prior contain null pointer dereference vulnerabilities in the HTTP proxy handlers within the httpProcessInput function in httpd.c. The flaws stem from missing validation of strchr return values in the CONNECT and GET proxy handling paths and are assigned CWE-476. They affect deployments where the httpd and proxy features are enabled and were addressed in commit dc78dee.

Remote attackers can trigger the issues by sending specially crafted HTTP requests over the network, causing a null pointer dereference that crashes the server and produces a denial of service. The CVSS 4.0 score of 6.3 reflects network attack vector, low complexity, and limited impact confined to availability with no privileges or user interaction required.

The official fix is documented in the LibVNC repository commit dc78dee along with the GitHub security advisory GHSA-xjp8-4qqv-5x4x and the VulnCheck advisory that detail the affected code paths and remediation.

EPSS for the CVE rose from a low baseline to a peak of 0.0273 on 2026-05-05 before receding to the current value of 0.0089, indicating a measurable increase in exploitation interest after public disclosure.

EU & UK References

Vulnerability details

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers…

more

can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Null pointer dereference in HTTP proxy handler allows remote unauthenticated crafted requests to crash the LibVNCServer process, directly mapping to application/system exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32853Same product: Libvncserver Project Libvncserver
CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476
CVE-2025-63647Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2024-55193Shared CWE-476
CVE-2025-63648Shared CWE-476

Affected Assets

libvncserver project
libvncserver
≤ 0.9.15

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the vulnerability by requiring timely remediation of the specific null pointer dereference flaw in LibVNCServer through patching to the fixed commit.

prevent

Mandates validation of HTTP request inputs in the proxy handlers to prevent specially crafted requests from triggering the unvalidated strchr() return value leading to null pointer dereference.

prevent

Ensures proper error handling for missing strchr() validations in HTTP proxy paths to avoid crashes from null pointer dereferences instead of failing gracefully.

References