CVE-2020-14403
Description
An issue was discovered in LibVNCServer before 0.9.13. libvncserver/hextile.c allows out-of-bounds access via encodings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LibVNCServer before 0.9.13 contains an out-of-bounds access vulnerability in hextile.c that can be triggered via crafted encoding data.
Vulnerability
An out-of-bounds access vulnerability exists in libvncserver/hextile.c in LibVNCServer versions before 0.9.13. The issue occurs when processing Hextile-encoded framebuffer updates; insufficient bounds checking allows reading or writing beyond allocated memory. [2]
Exploitation
An attacker with network access to a VNC server using LibVNCServer can send a specially crafted Hextile encoding message. No authentication is required if the server is configured to allow unauthenticated connections. The attacker must be able to send RFB protocol messages to the server.
Impact
Successful exploitation could lead to a denial of service (crash) or potentially arbitrary code execution, depending on the memory layout. The out-of-bounds access may also disclose sensitive information from server memory. [2]
Mitigation
The vulnerability is fixed in LibVNCServer version 0.9.13, released on 2020-06-17. Users should upgrade to this version or later. Distributions such as Ubuntu have released updated packages (e.g., USN-4434-1 for LibVNCServer and USN-4573-1 for Vino) that include the fix. [1][2]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
20- LibVNCServer/LibVNCServerdescription
- Range: <0.9.13
- osv-coords18 versionspkg:rpm/suse/LibVNCServer&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/LibVNCServer&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/LibVNCServer&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/LibVNCServer&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/LibVNCServer&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/LibVNCServer&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/LibVNCServer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/LibVNCServer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 0.9.9-17.31.1+ 17 more
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
- (no CPE)range: < 0.9.9-17.31.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- usn.ubuntu.com/4434-1/mitrevendor-advisoryx_refsource_UBUNTU
- usn.ubuntu.com/4573-1/mitrevendor-advisoryx_refsource_UBUNTU
- cert-portal.siemens.com/productcert/pdf/ssa-390195.pdfmitrex_refsource_CONFIRM
- github.com/LibVNC/libvncserver/commit/74e8a70f2c9a5248d6718ce443e07c7ed314dfffmitrex_refsource_MISC
- github.com/LibVNC/libvncserver/compare/LibVNCServer-0.9.12...LibVNCServer-0.9.13mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/06/msg00035.htmlmitremailing-listx_refsource_MLIST
- lists.debian.org/debian-lts-announce/2020/08/msg00045.htmlmitremailing-listx_refsource_MLIST
News mentions
0No linked articles in our index yet.