CVE-2026-32854
Published: 24 March 2026
Summary
CVE-2026-32854 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Libvncserver Project Libvncserver. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 13.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the vulnerability by requiring timely remediation of the specific null pointer dereference flaw in LibVNCServer through patching to the fixed commit.
Mandates validation of HTTP request inputs in the proxy handlers to prevent specially crafted requests from triggering the unvalidated strchr() return value leading to null pointer dereference.
Ensures proper error handling for missing strchr() validations in HTTP proxy paths to avoid crashes from null pointer dereferences instead of failing gracefully.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Null pointer dereference in HTTP proxy handler allows remote unauthenticated crafted requests to crash the LibVNCServer process, directly mapping to application/system exploitation for endpoint denial of service.
NVD Description
LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers…
more
can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.
Deeper analysisAI
CVE-2026-32854 is a null pointer dereference vulnerability (CWE-476) in LibVNCServer versions 0.9.15 and prior. The flaw exists in the HTTP proxy handlers within the httpProcessInput() function in httpd.c, stemming from missing validation of strchr() return values in the CONNECT and GET proxy handling paths. This allows remote attackers to trigger null pointer dereferences by sending specially crafted HTTP requests, leading to server crashes when httpd and proxy features are enabled. The issue was fixed in commit dc78dee51a7e270e537a541a17befdf2073f5314.
Remote, unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Successful exploitation causes a denial of service by crashing the affected LibVNCServer instance, disrupting VNC services that rely on the httpd and proxy components.
Mitigation involves updating to LibVNCServer versions incorporating the fix from commit dc78dee51a7e270e537a541a17befdf2073f5314. Further details on the vulnerability and remediation are provided in the GitHub Security Advisory at GHSA-xjp8-4qqv-5x4x and the VulnCheck advisory at vulncheck.com/advisories/libvncserver-httpd-proxy-null-pointer-dereference.
Details
- CWE(s)