libvncserver_project CVE Vulnerabilities & Metrics

Focus on libvncserver_project vulnerabilities and metrics.

Last updated: 29 Mar 2026, 22:25 UTC

About libvncserver_project Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with libvncserver_project. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total libvncserver_project CVEs: 12
Earliest CVE date: 31 Dec 2016, 18:59 UTC
Latest CVE date: 24 Mar 2026, 18:16 UTC

Latest CVE reference: CVE-2026-32854

Rolling Stats

30-day Count (Rolling): 2
365-day Count (Rolling): 2

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical libvncserver_project CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.7

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	3
4.0-6.9	5
7.0-8.9	4
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS libvncserver_project CVEs

These are the five CVEs with the highest CVSS scores for libvncserver_project, sorted by severity first and recency.

CVE-2017-18922 libvncserver_project Published on 30 Jun 2020, 11:15 UTC (CVSS: 7.5)
It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, causing a heap-based buffer overflow.
CVE-2018-7225 libvncserver_project Published on 19 Feb 2018, 15:29 UTC (CVSS: 7.5)
An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.
CVE-2016-9942 libvncserver_project Published on 31 Dec 2016, 18:59 UTC (CVSS: 7.5)
Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.
CVE-2016-9941 libvncserver_project Published on 31 Dec 2016, 18:59 UTC (CVSS: 7.5)
Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.
CVE-2020-14401 libvncserver_project Published on 17 Jun 2020, 16:15 UTC (CVSS: 6.4)
An issue was discovered in LibVNCServer before 0.9.13. libvncserver/scale.c has a pixel_value integer overflow.

All CVEs for libvncserver_project

CVE-2026-32854 libvncserver_project vulnerability CVSS: 0 24 Mar 2026, 18:16 UTC

LibVNCServer versions 0.9.15 and prior (fixed in commit dc78dee) contain null pointer dereference vulnerabilities in the HTTP proxy handlers within httpProcessInput() in httpd.c that allow remote attackers to cause a denial of service by sending specially crafted HTTP requests. Attackers can exploit missing validation of strchr() return values in the CONNECT and GET proxy handling paths to trigger null pointer dereferences and crash the server when httpd and proxy features are enabled.

CVE-2026-32853 libvncserver_project vulnerability CVSS: 0 24 Mar 2026, 18:16 UTC

LibVNCServer versions 0.9.15 and prior (fixed in commit 009008e) contain a heap out-of-bounds read vulnerability in the UltraZip encoding handler that allows a malicious VNC server to cause information disclosure or application crash. Attackers can exploit improper bounds checking in the HandleUltraZipBPP() function by manipulating subrectangle header counts to read beyond the allocated heap buffer.

CVE-2020-29260 libvncserver_project vulnerability CVSS: 0 02 Sep 2022, 23:15 UTC

libvncclient v0.9.13 was discovered to contain a memory leak via the function rfbClientCleanup().

CVE-2020-25708 libvncserver_project vulnerability CVSS: 5.0 27 Nov 2020, 18:15 UTC

A divide by zero issue was found to occur in libvncserver-0.9.12. A malicious client could use this flaw to send a specially crafted message that, when processed by the VNC server, would lead to a floating point exception, resulting in a denial of service.

CVE-2017-18922 libvncserver_project vulnerability CVSS: 7.5 30 Jun 2020, 11:15 UTC

It was discovered that websockets.c in LibVNCServer prior to 0.9.12 did not properly decode certain WebSocket frames. A malicious attacker could exploit this by sending specially crafted WebSocket frames to a server, causing a heap-based buffer overflow.

CVE-2020-14401 libvncserver_project vulnerability CVSS: 6.4 17 Jun 2020, 16:15 UTC

An issue was discovered in LibVNCServer before 0.9.13. libvncserver/scale.c has a pixel_value integer overflow.

CVE-2020-14400 libvncserver_project vulnerability CVSS: 5.0 17 Jun 2020, 16:15 UTC

An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint16_t pointers in libvncserver/translate.c. NOTE: Third parties do not consider this to be a vulnerability as there is no known path of exploitation or cross of a trust boundary

CVE-2020-14399 libvncserver_project vulnerability CVSS: 5.0 17 Jun 2020, 16:15 UTC

An issue was discovered in LibVNCServer before 0.9.13. Byte-aligned data is accessed through uint32_t pointers in libvncclient/rfbproto.c. NOTE: there is reportedly "no trust boundary crossed.

CVE-2010-5304 libvncserver_project vulnerability CVSS: 5.0 05 Feb 2020, 20:15 UTC

A NULL pointer dereference flaw was found in the way LibVNCServer before 0.9.9 handled certain ClientCutText message. A remote attacker could use this flaw to crash the VNC server by sending a specially crafted ClientCutText message from a VNC client.

CVE-2018-7225 libvncserver_project vulnerability CVSS: 7.5 19 Feb 2018, 15:29 UTC

An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.

CVE-2016-9942 libvncserver_project vulnerability CVSS: 7.5 31 Dec 2016, 18:59 UTC

Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.

CVE-2016-9941 libvncserver_project vulnerability CVSS: 7.5 31 Dec 2016, 18:59 UTC

Heap-based buffer overflow in rfbproto.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.