SB20260427144 - Anolis OS update for libvncserver
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2026-32853)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information or cause a denial of service.
The vulnerability exists due to out-of-bounds read in the HandleUltraZipBPP function in src/libvncclient/ultra.c when processing UltraZip-encoded FramebufferUpdate messages. A remote attacker can send a specially crafted FramebufferUpdate message with an attacker-controlled subrectangle count to disclose sensitive information or cause a denial of service.
UltraZip encoding is enabled by default in LibVNCClient, and no authentication is required on the server side when using rfbSecTypeNone.
2) NULL pointer dereference (CVE-ID: CVE-2026-32854)
CWE-ID: CWE-476 - NULL Pointer Dereference
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to null pointer dereference in httpProcessInput in src/libvncserver/httpd.c when handling malformed CONNECT or GET requests to the HTTP proxy handlers. A remote attacker can send a specially crafted request to cause a denial of service.
Only configurations with both the non-default -httpd and -enablehttpproxy options enabled are vulnerable.
Remediation
Install update from vendor's website.