{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70294?format=json","vulnerability_id":"VCID-3vzp-4w14-b7dx","summary":"Neat VNC is a VNC server library. Prior to 0.9.6, a pre-authentication stack buffer overflow exists in neatvnc in the RSA-AES security type handler. An unauthenticated remote attacker who can reach the VNC listening socket can send a crafted security type 5 (RSA-AES) or security type 129 (RSA-AES-256) handshake with an oversized client RSA public key, causing rsa_aes_send_challenge in src/auth/rsa-aes.c to overflow a 1024-byte on-stack buffer when encrypting the server challenge. This results in at least a denial of service via server crash. This vulnerability is fixed in 0.9.6.","aliases":[{"alias":"CVE-2026-42859"}],"fixed_packages":[],"affected_packages":[],"references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42859","reference_id":"","reference_type":"","scores":[{"value":"0.00203","scoring_system":"epss","scoring_elements":"0.42372","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.45004","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.45002","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00221","scoring_system":"epss","scoring_elements":"0.45015","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42859"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136644","reference_id":"1136644","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136644"},{"reference_url":"https://github.com/any1/neatvnc/commit/1f6cd6b75cc167fed3a19a9d1552a1f662f6b337","reference_id":"1f6cd6b75cc167fed3a19a9d1552a1f662f6b337","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:21:36Z/"}],"url":"https://github.com/any1/neatvnc/commit/1f6cd6b75cc167fed3a19a9d1552a1f662f6b337"},{"reference_url":"https://github.com/any1/neatvnc/security/advisories/GHSA-567c-gpv8-qh9h","reference_id":"GHSA-567c-gpv8-qh9h","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-11T18:21:36Z/"}],"url":"https://github.com/any1/neatvnc/security/advisories/GHSA-567c-gpv8-qh9h"}],"weaknesses":[{"cwe_id":120,"name":"Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')","description":"The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow."}],"exploits":[],"severity_range_score":"8.1 - 8.1","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3vzp-4w14-b7dx"}