CVE-2026-42859
Received Received - Intake
Stack Buffer Overflow in Neat VNC Server

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-42859
EUVD
EUVD-2026-29167
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
neatvnc neatvnc to 0.9.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42859 is a pre-authentication stack buffer overflow vulnerability in the neatVNC library's RSA-AES authentication mechanism prior to version 0.9.6.

An unauthenticated remote attacker who can reach the VNC listening socket can send a specially crafted handshake with an oversized client RSA public key. This causes the rsa_aes_send_challenge function to overflow a fixed 1024-byte on-stack buffer when encrypting the server challenge.

This overflow can lead to a denial of service by crashing the server. The vulnerability is fixed in version 0.9.6 by replacing the static buffer with dynamically allocated memory and validating the public key size to prevent abuse.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to cause a denial of service by crashing the neatVNC server.

Since the attacker does not need to authenticate, any system running a vulnerable version of neatVNC and exposing the VNC listening socket is at risk of being disrupted.

The impact is primarily service availability loss due to server crashes triggered by the buffer overflow.

Detection Guidance

This vulnerability involves a pre-authentication stack buffer overflow triggered by a crafted RSA-AES handshake with an oversized client RSA public key sent to the neatvnc server's listening socket.

Detection can focus on monitoring network traffic to the VNC listening port for unusual or oversized RSA-AES (security type 5) or RSA-AES-256 (security type 129) handshake messages containing abnormally large client RSA public keys.

Since the vulnerability is triggered by a malformed handshake, you can use network packet capture tools like tcpdump or Wireshark to capture and analyze VNC handshake packets.

  • Use tcpdump to capture traffic on the VNC port (usually 5900): tcpdump -i <interface> port 5900 -w capture.pcap
  • Analyze the capture with Wireshark to inspect the RSA-AES handshake messages for abnormally large client RSA public keys.

Additionally, monitoring the neatvnc server logs for crashes or unexpected terminations during authentication attempts can indicate exploitation attempts.

Mitigation Strategies

The vulnerability is fixed in neatvnc version 0.9.6 by replacing the static buffer with dynamic memory allocation and validating the client RSA public key size.

Immediate mitigation steps include:

  • Upgrade neatvnc to version 0.9.6 or later where the vulnerability is patched.
  • If upgrading is not immediately possible, restrict network access to the neatvnc listening port to trusted hosts only, using firewall rules or network segmentation.
  • Monitor the neatvnc server for crashes or abnormal behavior that could indicate exploitation attempts.
  • Consider disabling RSA-AES (security type 5) and RSA-AES-256 (security type 129) authentication methods if possible, until the patch can be applied.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart