{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-34352", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-03-26T22:30:46.508Z", "datePublished": "2026-03-26T22:30:46.928Z", "dateUpdated": "2026-03-26T22:37:28.411Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "TigerVNC", "vendor": "TigerVNC", "versions": [{"lessThan": "1.16.2", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-26T22:37:28.411Z"}, "references": [{"url": "https://www.openwall.com/lists/oss-security/2026/03/26/7"}, {"url": "https://github.com/TigerVNC/tigervnc/commit/0b5cab169d847789efa54459a87659d3fd484393"}, {"url": "https://sourceforge.net/projects/tigervnc/files/stable/1.16.2"}, {"url": "https://groups.google.com/g/tigervnc-announce/c/anHL9WLshLI"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions."}], "id": "CVE-2026-34352", "lastModified": "2026-03-26T23:16:20.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.3, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-03-26T23:16:20.903", "references": [{"source": "cve@mitre.org", "url": "https://github.com/TigerVNC/tigervnc/commit/0b5cab169d847789efa54459a87659d3fd484393"}, {"source": "cve@mitre.org", "url": "https://groups.google.com/g/tigervnc-announce/c/anHL9WLshLI"}, {"source": "cve@mitre.org", "url": "https://sourceforge.net/projects/tigervnc/files/stable/1.16.2"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2026/03/26/7"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.16.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "TigerVNC", "source": "cna", "vendor": "TigerVNC"}, "product": "tigervnc", "vendor": "tigervnc"}], "analysis": {"en": {"generated_at": "2026-03-27T06:37:57.011135+00:00", "value": {"mitigation_remediation": ["Upgrade TigerVNC to version 1.16.2 or later from the official repository or release page. ", "Verify that the installed binary reports the patched version and that the Image.cxx source reflects the security fix. ", "Restrict local access to the Xvnc service by ensuring only authorized users can run the server, for example by setting strict file permissions on the X server socket or by configuring the daemon to run under a dedicated account. "], "summary": {"action": "Immediate Patch", "impact": "Unauthorized screen content exposure and potential denial of service"}, "threat_synthesis": {"affected_systems": "The issue affects installations of TigerVNC version 1.16.1 and earlier. Users deploying these versions should verify their current release; upgrading to 1.16.2 or later eliminates the exposed permissions bug.", "description_and_impact": "A misconfigured permission in TigerVNC\u2019s Image.cxx within the x0vncserver module allows local users to view or manipulate the screen contents, or trigger a crash of the application. This vulnerability can lead to confidential information being disclosed or the remote desktop session being disrupted, thereby compromising the integrity and availability of the graphical environment.", "risk_and_exploitability": "The CVSS score of 8.5 indicates a high severity vulnerability. Although no EPSS value is supplied, the exploit requires only local access, meaning any user with the same host privileges could exploit it. The vulnerability is not listed in the CISA KEV catalogue, but its high impact and local nature warrant urgent attention. It is inferred that the attack vector is local via shared memory or file permissions."}}}}, "created": "2026-03-27T08:33:06.755366+00:00", "title": "Permission Misconfiguration Allows Unauthorized Access to Screen Content in TigerVNC", "updated": "2026-03-27T09:22:56.439996+00:00", "vendors": ["tigervnc", "tigervnc$PRODUCT$tigervnc"]}