Unrated severityNVD Advisory· Published Dec 19, 2023· Updated Feb 25, 2026

Apache Guacamole: Integer overflow in handling of VNC image buffers

CVE-2023-43826

Description

Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially-crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process.

Users are recommended to upgrade to version 1.5.4, which fixes this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in Apache Guacamole when handling VNC image buffers may allow RCE from a malicious VNC server.

Vulnerability

Apache Guacamole versions 1.5.3 and older contain an integer overflow vulnerability in the handling of VNC image buffers. When a user connects to a VNC server, specially crafted data from a malicious or compromised VNC server can cause the integer overflow, leading to memory corruption [1]. The issue resides in the guacd process, which processes the VNC protocol data.

Exploitation

An attacker must control or compromise a VNC server that a Guacamole user connects to. The attacker then sends specially crafted VNC image data that triggers an integer overflow during buffer size calculations. No special authentication is required beyond normal VNC connection credentials. The attacker's position is network-level, as they must be able to send crafted VNC data to the victim's Guacamole client.

Impact

Successful exploitation could allow the attacker to achieve arbitrary code execution with the privileges of the guacd process. This could lead to full compromise of the Guacamole gateway, including disclosure of sensitive data, modification or destruction of resources, and potential lateral movement within the network [1].

Mitigation

Users should upgrade to Apache Guacamole version 1.5.4 or later, which contains a fix for this issue [1]. No workarounds have been published. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

security - [SECURITY] CVE-2023-43826: Apache Guacamole: Integer overflow in handling of VNC image buffers

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Apache/Guacamolellm-fuzzy2 versions
<=1.5.3+ 1 more
- (no CPE)range: <=1.5.3
- (no CPE)range: 0
osv-coords2 versions
pkg:bitnami/guacamole pkg:bitnami/guacamole-server
< 1.5.3+ 1 more
- (no CPE)range: < 1.5.3
- (no CPE)range: < 1.5.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.apache.org/thread/23gzwftpfgtq97tj6ttmbclry53kmwv6mitrevendor-advisory
www.openwall.com/lists/oss-security/2023/12/19/4mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000