VYPR
← All advisories
Unrated severityOSV Advisory· Published Dec 19, 2018· Updated Aug 5, 2024

CVE-2018-20022

CVE-2018-20022

Description

LibVNC before 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838 contains multiple weaknesses CWE-665: Improper Initialization vulnerability in VNC client code that allows attacker to read stack memory and can be abuse for information disclosure. Combined with another vulnerability, it can be used to leak stack memory layout and in bypassing ASLR

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

LibVNC client code before 0.9.12 improperly initializes stack variables, allowing remote attackers to leak stack memory and bypass ASLR.

Vulnerability

LibVNC (LibVNCServer/LibVNCClient) before version 0.9.12 (commit 2f5b2ad1c6c99b1ac6482c95844a84d66bb52838) contains multiple CWE-665 (Improper Initialization) weaknesses in the VNC client code. These flaws cause stack variables to be used without proper initialization, potentially leaking uninitialized stack memory to an attacker [1][3].

Exploitation

An attacker can exploit this vulnerability remotely by setting up a malicious VNC server or by intercepting VNC traffic. When a vulnerable client connects to the attacker-controlled server, the server sends crafted data that triggers the client to read uninitialized stack memory. The leaked memory is then transmitted back to the attacker, revealing stack contents [1].

Impact

Successful exploitation results in information disclosure: the attacker can read stack memory, potentially exposing sensitive data or the memory layout. Combined with another vulnerability, this can be used to bypass Address Space Layout Randomization (ASLR), aiding further attacks [1].

Mitigation

The vulnerability is fixed in LibVNCServer 0.9.12, released in September 2018 [1][3]. Users should upgrade to this version or later. For the ssvnc package (which includes LibVNC), Gentoo has discontinued support and recommends unmerging it (emerge --unmerge net-misc/ssvnc) as no workaround exists [2].

References
  1. KLCERT-18-032: LibVNC Multiple Memory Leaks | Kaspersky ICS CERT EN
  2. Multiple vulnerabilities (GLSA 202006-06) — Gentoo security
  3. Multiple vulnerabilities (GLSA 201908-05) — Gentoo security

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

25

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

12

News mentions

0

No linked articles in our index yet.