GHSA-v9pm-47h4-jcq8 (no CVE yet) describes:
Attacker-controlled heap out-of-bounds write in libvncclient Tight
decoder:
| A malicious (or man-in-the-middle) VNC server can force a connecting
| libvncclient to write attacker-controlled data past the end of its
| framebuffer. This is an out-of-bounds heap write with attacker-
| controlled length, contents, and offset. It needs no authentication
| (the attacker is the server), works in a default build with default
| settings, and fires from a single FramebufferUpdate the moment the
| victim connects. It crashes any client unconditionally (denial of
| service); we also demonstrated it overwriting an application callback
| pointer and redirecting execution to attacker-chosen code (code
| execution) under the default configuration.
https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8

Regards,
Salvatore

X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

In the security advisory [1] upstream meanwhile lists CVE-2026-50538 as
CVE ID of this issue, while there is still no CVE record available from
cve.org [2]. Hence, I wonder whether or not one should already
reference this CVE ID with fixing this bug.

What is the Security Team's position in that regard?

Sven

[1] https://github.com/LibVNC/libvncserver/security/advisories/GHSA-v9pm-47h4-jcq8
[2] https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-50538

Hi Sven,

Given it is a github hosted project for which Github is a CNA, and the
CVE appeared in the GHSA, I'm inclined to associate it yes. I updated
the tracker entry already to make the link.

Regards,
Salvatore

Hello,

Bug #1138253 in libvncserver reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-remote-team/libvncserver/-/commit/e8738ce15c219393c27ebffb1b4459ea05b44a7c
------------------------------------------------------------------------
d/p/*: Add 0004_CVE-2026-50538.patch fixing attacker-controlled heap out-of-bounds write.

Closes: #1138253
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1138253

We believe that the bug you reported is fixed in the latest version of
libvncserver, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1138253@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sven Geuer <sge@debian.org> (supplier of updated libvncserver package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 15 Jun 2026 22:15:05 +0200
Source: libvncserver
Architecture: source
Version: 0.9.15+dfsg-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Remote Maintainers <debian-remote@lists.debian.org>
Changed-By: Sven Geuer <sge@debian.org>
Closes: 1138253
Changes:
 libvncserver (0.9.15+dfsg-6) unstable; urgency=medium
 .
   [ Sven Geuer ]
   * debian/patches:
     + 0004_CVE-2026-50538: Add patch fixing attacker-controlled heap
       out-of-bounds write (Closes: #1138253).
   * d/control:
     + Add myself to Uploaders.
     + Drop Priority and Rules-Requires-Root fields.
     + Bump Standards-Version to 4.7.4.
   * d/copyright: Update packaging copyright holders.
   * d/watch: Update watch file to version 5 format.
 .
   [ Debian Janitor ]
   * Use secure URI in Homepage field.
   * Set field Upstream-Contact in debian/copyright.
   * Set upstream metadata fields: Repository.
   * Remove obsolete fields Contact, Name from debian/upstream/metadata
     (already present in machine-readable debian/copyright).
   * Remove unnecessary get-orig-source-target.
   * Remove constraints unnecessary since buster.
Checksums-Sha1:
 464947ef9a78a2f72a7cb039fa53b4043454962b 2334 libvncserver_0.9.15+dfsg-6.dsc
 e56810f65e8d1fa296a98c54205ad8db26bf3258 21288 libvncserver_0.9.15+dfsg-6.debian.tar.xz
 a055b5a17acfb66c725687a3894591627f1ad95e 8484 libvncserver_0.9.15+dfsg-6_amd64.buildinfo
Checksums-Sha256:
 44ba5e6f0f38516ff7eeea82ad832fe61f3683f41de4555f44b3f80461e14882 2334 libvncserver_0.9.15+dfsg-6.dsc
 12065a758ee1be4b6deaffa1ccc93febaa5de86a9f411b796000cc9b211347ba 21288 libvncserver_0.9.15+dfsg-6.debian.tar.xz
 5fec8a6d69473a03af66ce04a12c87dbd8d7eca9e685a46ee4e261754ccc9527 8484 libvncserver_0.9.15+dfsg-6_amd64.buildinfo
Files:
 d17f5320e5fbd0821b92f409e9fd57b8 2334 libs optional libvncserver_0.9.15+dfsg-6.dsc
 5ab6a4420a5c71846b46d71d1533dc73 21288 libs optional libvncserver_0.9.15+dfsg-6.debian.tar.xz
 9903f3c700984c40459b022fdb357568 8484 libs optional libvncserver_0.9.15+dfsg-6_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEEPfXoqkP8n9/QhvGVrfUO2vit1YUFAmowXkEPHHNnZUBkZWJp
YW4ub3JnAAoJEK31Dtr4rdWFjRgQAJbvzwPb9jVEE1fF6EWrcBZ1lY0nAebav0si
qkXYs65mSrrsMk9IE7DTyD81YB3TuofGbtKuUCjaN+25dz+VBgQRpyEweAOo9uGw
wLrsK8t5ZM04LMyOu5A1gSaGAmjYn6vKVUp1gvLd4EkD2+wo/zVPLHPTYhxx04ny
DlxfbixzLpl21pRiJmih7PRyaYb2OjLo37D+LACkArU4rFaq2mQBDy6oBZ9H5ZYs
gQxsTzhSpXeSB9z8NrFKnrMuyd6GkyYPHFymORwfVdBvRlR8p5JRr9dxlcLYCzji
C72f1hY5UiVyC8G+PdK0U0BGmVYz0fRs6RlTW7s93YtW0HyhINNH/RCvQgCwt9db
92ivW5ULSmy0KRU4kOTSgRJDCjgyDqAa6Vj25GzOs1Q9PByf9pgbpSPS/2vj5gbV
Ua5KjX0UprSLqGGOSTwpUSA/e1VDh4X60SCfd2JBkqa95il5tcQ/HFPF7b9rWXzH
HvcneSyWyK1bPerE7xcwSOM9Mo0H/yAMf1FcnrNw5OOGLSko2eg8hDHvHHk9OvHn
/Xp2HQEDKravPJm8Sakfk5phxWhT5+lDPiZjM4BAllTRcEBaDP/YN6sBree19OHv
lu152NTmJqTfuXihgtQm2HHQSHRG5pHNEGBEEuFm7OBXiAFpTG2inS6mX5Tx/fH+
YXdNxFUJ
=AVVO
-----END PGP SIGNATURE-----