Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32854 is a vulnerability in LibVNCServer versions 0.9.15 and earlier that involves null pointer dereferences in the HTTP proxy handlers within the function httpProcessInput() in httpd.c.'}, {'type': 'paragraph', 'content': "The flaw occurs because the code uses the return value of the strchr() function without checking if it is NULL. Specifically, in handling HTTP CONNECT requests, the code looks for a colon character ':' to parse the port number. If the colon is missing, strchr() returns NULL, and the code attempts to use this NULL pointer plus one in atoi(), causing a segmentation fault."}, {'type': 'paragraph', 'content': "Similarly, in handling HTTP GET requests, the code looks for a slash '/' to identify a specific path. If the slash is missing, strchr() returns NULL, which is then passed directly to strncmp(), causing another segmentation fault."}, {'type': 'paragraph', 'content': 'These null pointer dereferences allow remote attackers to send specially crafted HTTP requests that crash the server process, resulting in a denial of service.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by crashing the LibVNCServer process.'}, {'type': 'paragraph', 'content': "By sending specially crafted malformed HTTP CONNECT or GET requests to the server's HTTP proxy port, an attacker can trigger null pointer dereferences that crash the server."}, {'type': 'paragraph', 'content': 'The impact is a loss of availability of the VNC server, potentially disrupting remote access or services relying on it.'}, {'type': 'paragraph', 'content': 'Exploitation requires the server to be configured with both the HTTP daemon (-httpd) and HTTP proxy (-enablehttpproxy) features enabled, which are non-default settings.'}] [2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending specially crafted malformed HTTP requests to the LibVNCServer HTTP proxy port and observing if the server crashes or experiences a denial of service.'}, {'type': 'paragraph', 'content': 'Specifically, you can test for the two NULL pointer dereference issues by sending these commands to the HTTP port (default is VNC port minus 100, e.g., 5800 if VNC runs on 5900) when the server is running with both -httpd and -enablehttpproxy options enabled:'}, {'type': 'list_item', 'content': 'Trigger CONNECT handler crash: `echo -e " CONNECT nocolon\\r\\n\\r\\n " | nc <server_ip> 5800`'}, {'type': 'list_item', 'content': 'Trigger GET proxy handler crash: `echo -e " GET noslash\\r\\n\\r\\n " | nc <server_ip> 5800`'}, {'type': 'paragraph', 'content': 'If the server crashes or becomes unresponsive after these commands, it indicates the presence of the vulnerability.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should:

• Disable the HTTP proxy feature by not using the -enablehttpproxy option when starting the LibVNCServer.
• Avoid enabling the HTTP daemon feature (-httpd option) unless necessary, as the vulnerability requires both -httpd and -enablehttpproxy to be enabled.
• Apply the official patch or update to a version of LibVNCServer that includes the fix from commit dc78dee, which adds proper NULL checks to prevent the crashes.

These steps will prevent remote attackers from exploiting malformed HTTP requests to cause denial of service.

Useful 0 Not Useful 0