CVE-2016-9942
Severity CVSS v4.0:
Pending analysis
Type:
CWE-119
Buffer Errors
Publication date:
31/12/2016
Last modified:
12/04/2025
Description
Heap-based buffer overflow in ultra.c in LibVNCClient in LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message with the Ultra type tile, such that the LZO payload decompressed length exceeds what is specified by the tile dimensions.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:libvncserver_project:libvncserver:0.9.10:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.debian.org/security/2017/dsa-3753
- http://www.securityfocus.com/bid/95170
- https://github.com/LibVNC/libvncserver/pull/137
- https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.11
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://security.gentoo.org/glsa/201702-24
- https://usn.ubuntu.com/4587-1/
- http://www.debian.org/security/2017/dsa-3753
- http://www.securityfocus.com/bid/95170
- https://github.com/LibVNC/libvncserver/pull/137
- https://github.com/LibVNC/libvncserver/releases/tag/LibVNCServer-0.9.11
- https://lists.debian.org/debian-lts-announce/2019/10/msg00042.html
- https://security.gentoo.org/glsa/201702-24
- https://usn.ubuntu.com/4587-1/