CVE-2026-42859
Stack Buffer Overflow in Neat VNC Server
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| neatvnc | neatvnc | to 0.9.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-120 | The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42859 is a pre-authentication stack buffer overflow vulnerability in the neatVNC library's RSA-AES authentication mechanism prior to version 0.9.6.
An unauthenticated remote attacker who can reach the VNC listening socket can send a specially crafted handshake with an oversized client RSA public key. This causes the rsa_aes_send_challenge function to overflow a fixed 1024-byte on-stack buffer when encrypting the server challenge.
This overflow can lead to a denial of service by crashing the server. The vulnerability is fixed in version 0.9.6 by replacing the static buffer with dynamically allocated memory and validating the public key size to prevent abuse.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to cause a denial of service by crashing the neatVNC server.
Since the attacker does not need to authenticate, any system running a vulnerable version of neatVNC and exposing the VNC listening socket is at risk of being disrupted.
The impact is primarily service availability loss due to server crashes triggered by the buffer overflow.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a pre-authentication stack buffer overflow triggered by a crafted RSA-AES handshake with an oversized client RSA public key sent to the neatvnc server's listening socket.
Detection can focus on monitoring network traffic to the VNC listening port for unusual or oversized RSA-AES (security type 5) or RSA-AES-256 (security type 129) handshake messages containing abnormally large client RSA public keys.
Since the vulnerability is triggered by a malformed handshake, you can use network packet capture tools like tcpdump or Wireshark to capture and analyze VNC handshake packets.
- Use tcpdump to capture traffic on the VNC port (usually 5900): tcpdump -i <interface> port 5900 -w capture.pcap
- Analyze the capture with Wireshark to inspect the RSA-AES handshake messages for abnormally large client RSA public keys.
Additionally, monitoring the neatvnc server logs for crashes or unexpected terminations during authentication attempts can indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in neatvnc version 0.9.6 by replacing the static buffer with dynamic memory allocation and validating the client RSA public key size.
Immediate mitigation steps include:
- Upgrade neatvnc to version 0.9.6 or later where the vulnerability is patched.
- If upgrading is not immediately possible, restrict network access to the neatvnc listening port to trusted hosts only, using firewall rules or network segmentation.
- Monitor the neatvnc server for crashes or abnormal behavior that could indicate exploitation attempts.
- Consider disabling RSA-AES (security type 5) and RSA-AES-256 (security type 129) authentication methods if possible, until the patch can be applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.