Skip to main content

Neat VNC CVE-2026-42859

| EUVDEUVD-2026-29167 HIGH
Classic Buffer Overflow (CWE-120)
2026-05-11 GitHub_M
8.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 11, 2026 - 19:02 EUVD
Source Code Evidence Fetched
May 11, 2026 - 18:46 vuln.today
Analysis Generated
May 11, 2026 - 18:46 vuln.today
CVSS changed
May 11, 2026 - 18:22 NVD
8.1 (HIGH)
CVE Published
May 11, 2026 - 17:36 nvd
HIGH 8.1

DescriptionGitHub Advisory

Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.

AnalysisAI

Remote code execution and denial of service in Neat VNC library version <0.9.6 allows unauthenticated network attackers to overflow a 1024-byte stack buffer during RSA-AES security handshake. An attacker sends a crafted VNC security type 5 or 129 message with an oversized client RSA public key, triggering a stack buffer overflow in rsa_aes_send_challenge() when the server encrypts its challenge response. CVSS 8.1 (High) with network attack vector, low complexity, and no authentication required. No public exploit identified at time of analysis, though the vulnerability is trivial to trigger based on the patch diff showing a simple size validation check addition.

Technical ContextAI

Neat VNC is a VNC server library implementing the RFB (Remote Framebuffer) protocol. The vulnerability affects the RSA-AES and RSA-AES-256 security types (RFB security types 5 and 129), which provide encrypted authentication. During the VNC handshake, the client sends its RSA public key to the server. The vulnerable code in src/auth/rsa-aes.c allocated a fixed 1024-byte stack buffer to hold the RFB challenge message structure, then called crypto_rsa_encrypt() to encrypt the server's random challenge using the client-provided RSA public key. Because the code did not validate the size of the client's public key before encryption, an attacker could send a key exceeding 1024 bytes, causing crypto_rsa_encrypt() to write beyond the stack buffer boundary. This is a classic stack buffer overflow (CWE-120) in pre-authentication code. The patch introduces a MAX_PUB_KEY_SIZE constant (1,000,000 bytes) and validates the client key length before processing, plus replaces the fixed stack buffer with dynamically allocated memory sized to the actual key length.

RemediationAI

Upgrade Neat VNC library to version 0.9.6 or later, which includes the fix committed in GitHub commit 1f6cd6b75cc167fed3a19a9d1552a1f662f6b337. The patch validates client RSA public key size against a 1MB maximum before processing and replaces the fixed 1024-byte stack buffer with dynamic heap allocation sized to the actual key length. Until patching, restrict VNC listening sockets to trusted networks only using firewall rules or network segmentation - do NOT expose VNC services directly to the internet. If RSA-AES security types are not required, disable security types 5 and 129 in the VNC server configuration to prevent exploitation while retaining other authentication methods, though this reduces encryption strength. Network restrictions are the only effective compensating control, as the vulnerability exists in pre-authentication handshake code that executes before any access controls apply. Review deployment configurations to identify which applications integrate Neat VNC library and prioritize patching internet-facing or high-value internal services.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-42859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy