CVE-2018-7225
Description
An issue was discovered in LibVNCServer through 0.9.11. rfbProcessClientNormalMessage() in rfbserver.c does not sanitize msg.cct.length, leading to access to uninitialized and potentially sensitive data or possibly unspecified other impact (e.g., an integer overflow) via specially crafted VNC packets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibVNCServer through 0.9.11 lacks sanitization of the client cut text length, leading to memory disclosure or integer overflow via crafted VNC packets.
Vulnerability
An issue exists in LibVNCServer versions through 0.9.11 in the function rfbProcessClientNormalMessage() in rfbserver.c. When handling a rfbClientCutText message, the server does not sanitize the msg.cct.length field before using it. This can lead to accessing uninitialized or potentially sensitive data, or to integer overflow conditions. The problem was identified in version 0.9.9 (used in Red Hat Enterprise Linux 7) and persists to the latest commit in the repository at the time of reporting [1][4].
Exploitation
An attacker with network access to a VNC server can send specially crafted VNC packets containing a rfbClientCutText message with a malicious length value. No authentication is required if the server is configured to allow unauthenticated connections. The attacker can repeatedly send such packets to trigger the vulnerability [1][4].
Impact
Successful exploitation may result in the disclosure of sensitive information from uninitialized memory areas, or cause integer overflows leading to unspecified impacts. The attacker could potentially crash the server or execute arbitrary code, although the primary risk highlighted in advisories is information disclosure. Red Hat rates this as a Moderate severity issue [1][4].
Mitigation
Red Hat released an update via RHSA-2018:1055 for Red Hat Enterprise Linux 7 on 2018-04-10, which includes patches for this vulnerability. Users should update to the fixed libvncserver package. Ubuntu also addressed the issue in iTALC (which vendors LibVNCServer) in USN-4587-1 and USN-4547-1 [2][3]. General users should update to the latest version of LibVNCServer; if not possible, restrict network access to VNC services to trusted hosts.
- https://access.redhat.com/errata/RHSA-2018:1055
- USN-4587-1: iTALC vulnerabilities | Ubuntu security notices | Ubuntu
- USN-4547-1: iTALC vulnerabilities | Ubuntu security notices | Ubuntu
- security - LibVNCServer rfbserver.c: rfbProcessClientNormalMessage() case rfbClientCutText doesn't sanitize msg.cct.length
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11- Range: <=0.9.11
- osv-coords10 versionspkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2011%20SP4pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 0.9.1-160.3.1+ 9 more
- (no CPE)range: < 0.9.1-160.3.1
- (no CPE)range: < 0.9.9-17.5.1
- (no CPE)range: < 0.9.9-17.5.1
- (no CPE)range: < 0.9.9-17.5.1
- (no CPE)range: < 0.9.1-160.3.1
- (no CPE)range: < 0.9.9-17.5.1
- (no CPE)range: < 0.9.9-17.5.1
- (no CPE)range: < 0.9.1-160.3.1
- (no CPE)range: < 0.9.9-17.5.1
- (no CPE)range: < 0.9.9-17.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- access.redhat.com/errata/RHSA-2018:1055mitrevendor-advisoryx_refsource_REDHAT
- security.gentoo.org/glsa/201908-05mitrevendor-advisoryx_refsource_GENTOO
- usn.ubuntu.com/3618-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4547-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4573-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4587-1/mitrevendor-advisoryx_refsource_UBUNTU
- www.debian.org/security/2018/dsa-4221mitrevendor-advisoryx_refsource_DEBIAN
- www.openwall.com/lists/oss-security/2018/02/18/1mitrex_refsource_MISC
- www.securityfocus.com/bid/103107mitrevdb-entryx_refsource_BID
- github.com/LibVNC/libvncserver/issues/218mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2018/03/msg00035.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2019/10/msg00042.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2019/11/msg00032.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2019/12/msg00028.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.