CVE-2019-20788
Description
libvncclient/cursor.c in LibVNCServer through 0.9.12 has a HandleCursorShape integer overflow and heap-based buffer overflow via a large height or width value. NOTE: this may overlap CVE-2019-15690.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Integer overflow in LibVNCClient's HandleCursorShape function allows a malicious VNC server to trigger a heap buffer overflow, potentially leading to RCE.
Vulnerability
LibVNCServer through version 0.9.12 contains an integer overflow vulnerability in the HandleCursorShape function in libvncclient/cursor.c. When a client connects to a VNC server, the server can send a cursor shape update with a large width or height value. The calculation bytesPerRow = (width + 7) / 8 and bytesMaskData = bytesPerRow * height can overflow, leading to an undersized heap allocation. The subsequent malloc(width * height * bytesPerPixel) [1] also relies on the unchecked dimensions. The issue was fixed in LibVNCServer 0.9.13 [1] and in commit 5422024 [3], which introduced a MAX_CURSOR_SIZE check (set to 1024) to reject cursors with dimensions equal to or greater than that limit [3].
Exploitation
An attacker who controls a malicious VNC server can exploit this vulnerability when a vulnerable client connects and processes a crafted cursor shape update. No authentication is required; the attacker simply sends a specially crafted RFB message with oversized width or height fields. The vulnerable client will then compute a buffer size that may overflow or be far smaller than expected, leading to a heap buffer overflow when copying pixel data into the allocated buffer [1].
Impact
Successful exploitation allows the attacker to corrupt heap memory, potentially leading to remote code execution (RCE) in the context of the VNC client process. The vulnerability can also cause a denial of service via crash. The scope of compromise is limited to the client machine, but an attacker may achieve arbitrary code execution [1].
Mitigation
The vulnerability was addressed in LibVNCServer version 0.9.13, released on April 23, 2020 [1]. Users should upgrade to this version or later. The fix is also included in the commit 5422024 [3], which enforces a maximum cursor size of 1024 pixels. Users of Linux distributions should apply the relevant security updates (e.g., USN-4407-1 [2]). There is no known workaround other than updating, and the vulnerability is not listed in CISA's KEV.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
25- LibVNCServer/LibVNCServerdescription
- osv-coords24 versionspkg:rpm/opensuse/LibVNCServer&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/LibVNCServer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/LibVNCServer&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP1pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSSpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Workstation%20Extension%2015%20SP1pkg:rpm/suse/LibVNCServer&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/LibVNCServer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/LibVNCServer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208
< 0.9.10-lp151.7.3.1+ 23 more
- (no CPE)range: < 0.9.10-lp151.7.3.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.10-4.14.1
- (no CPE)range: < 0.9.1-160.14.1
- (no CPE)range: < 0.9.1-160.14.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.10-4.14.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
- (no CPE)range: < 0.9.9-17.19.1
Patches
154220248886blibvncclient/cursor: limit width/height input values
1 file changed · +5 −0
libvncclient/cursor.c+5 −0 modified@@ -28,6 +28,8 @@ #define OPER_SAVE 0 #define OPER_RESTORE 1 +#define MAX_CURSOR_SIZE 1024 + #define RGB24_TO_PIXEL(bpp,r,g,b) \ ((((uint##bpp##_t)(r) & 0xFF) * client->format.redMax + 127) / 255 \ << client->format.redShift | \ @@ -54,6 +56,9 @@ rfbBool HandleCursorShape(rfbClient* client,int xhot, int yhot, int width, int h if (width * height == 0) return TRUE; + if (width >= MAX_CURSOR_SIZE || height >= MAX_CURSOR_SIZE) + return FALSE; + /* Allocate memory for pixel data and temporary mask data. */ if(client->rcSource) free(client->rcSource);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.opensuse.org/opensuse-security-announce/2020-05/msg00027.htmlmitrevendor-advisoryx_refsource_SUSE
- usn.ubuntu.com/4407-1/mitrevendor-advisoryx_refsource_UBUNTU
- cert-portal.siemens.com/productcert/pdf/ssa-390195.pdfmitrex_refsource_CONFIRM
- github.com/LibVNC/libvncserver/commit/54220248886b5001fbbb9fa73c4e1a2cb9413fedmitrex_refsource_MISC
- securitylab.github.com/advisories/GHSL-2020-064-libvnc-libvncclientmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.