CVE-2026-32854
Published: 24 March 2026
Summary
CVE-2026-32854 is a medium-severity NULL Pointer Dereference (CWE-476) vulnerability in Libvncserver Project Libvncserver. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
LibVNCServer versions 0.9.15 and prior contain null pointer dereference vulnerabilities in the HTTP proxy handlers within the httpProcessInput function in httpd.c. The flaws stem from missing validation of strchr return values in the CONNECT and GET proxy handling paths and are assigned CWE-476. They affect deployments where the httpd and proxy features are enabled and were addressed in commit dc78dee.
Remote attackers can trigger the issues by sending specially crafted HTTP requests over the network, causing a null pointer dereference that crashes the server and produces a denial of service. The CVSS 4.0 score of 6.3 reflects network attack vector, low complexity, and limited impact confined to availability with no privileges or user interaction required.
The official fix is documented in the LibVNC repository commit dc78dee along with the GitHub security advisory GHSA-xjp8-4qqv-5x4x and the VulnCheck advisory that detail the affected code paths and remediation.
EPSS for the CVE rose from a low baseline to a peak of 0.0273 on 2026-05-05 before receding to the current value of 0.0089, indicating a measurable increase in exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14932
Vulnerability details
LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers…
more
can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Null pointer dereference in HTTP proxy handler allows remote unauthenticated crafted requests to crash the LibVNCServer process, directly mapping to application/system exploitation for endpoint denial of service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the vulnerability by requiring timely remediation of the specific null pointer dereference flaw in LibVNCServer through patching to the fixed commit.
Mandates validation of HTTP request inputs in the proxy handlers to prevent specially crafted requests from triggering the unvalidated strchr() return value leading to null pointer dereference.
Ensures proper error handling for missing strchr() validations in HTTP proxy paths to avoid crashes from null pointer dereferences instead of failing gracefully.