VYPR
← All advisories
Unrated severityOSV Advisory· Published Feb 19, 2018· Updated Aug 5, 2024

CVE-2018-7226

CVE-2018-7226

Description

An issue was discovered in vcSetXCutTextProc() in VNConsole.c in LinuxVNC and VNCommand from the LibVNC/vncterm distribution through 0.9.10. Missing sanitization of the client-specified message length may cause integer overflow or possibly have unspecified other impact via a specially crafted VNC packet.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Libvncserver/VnctermOSV2 versions
    0.1, 0.9.10+ 1 more
    • (no CPE)range: 0.1, 0.9.10
    • (no CPE)range: <=0.9.10

Patches

Vulnerability mechanics

Root cause

"Missing sanitization of the client-specified message length in vcSetXCutTextProc() can lead to integer overflow and memory corruption."

Attack vector

An attacker can send a specially crafted VNC packet to the vulnerable server. This packet contains a message length that, when processed by `vcSetXCutTextProc()`, causes an integer overflow. The overflow can lead to a `malloc(0)` call followed by a `memcpy` with a negative length, resulting in writing beyond allocated memory.

Affected code

The vulnerability lies within the `vcSetXCutTextProc()` function located in `VNConsole.c` within the LibVNC/vncterm distribution. The implementation uses `int` for the length parameter and performs a `malloc(len+1)` operation without adequate checks, which can lead to integer overflows and subsequent memory corruption.

What the fix does

The patch, as described in the reference write-ups, addresses the integer overflow by ensuring proper sanitization of the length parameter before it is used in memory allocation and copying operations. Specifically, it prevents `len+1` from overflowing and ensures that `malloc` is checked for null returns before `memcpy` is called, mitigating the risk of buffer overflows and null pointer dereferences.

Preconditions

  • inputA specially crafted VNC packet with a manipulated message length.

Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.