External risk intelligence

TigerVNC: Unauthorized Screen Access and Manipulation Risk.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-34352

An incorrect permission flaw in TigerVNC's x0vncserver can let unauthorized users view or alter screen content, or crash applications. This exposes organizations to risks of data compromise and system disruption.

2Halo Surface Signal

Tigervnc

before 1.16.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-34352

TigerVNC is typically deployed as a remote desktop or management tool intended for internal, private, or secure access rather than public internet exposure. While it is a network-accessible service, it is rarely exposed directly to the public internet without additional layers of control like VPNs or SSH tunnels.

PCI scan relevance

PCI Relevance for CVE-2026-34352

Yes

CVE-2026-34352 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthorized local users to view or manipulate screen contents, posing a risk to sensitive information and potentially causing denial of service. Such issues can lead to PCI ASV scan failures.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

In TigerVNC, a flaw in Image.cxx within x0vncserver can allow unauthorized users to view or alter screen content. This could also lead to application crashes. The core issue stems from incorrect permission handling.

  • Vulnerable TigerVNC component
  • Incorrect permission handling
  • Unauthorized screen access or manipulation

Attack Path

How an attacker could exploit the issue

The vulnerability allows unauthorized users to observe or manipulate screen contents, or cause an application crash, due to incorrect permissions. This impacts the confidentiality, integrity, and availability of the affected system. Attackers can exploit this to gain unauthorized access and potentially disrupt operations.

  • Incorrect permissions expose the system.
  • Attackers gain access to manipulate or crash systems.
  • Unauthorized observation or control occurs.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthorized users to observe or manipulate screen content, or cause application crashes, due to incorrect permissions. Exploitation could lead to data exposure, system instability, and unauthorized control over affected systems. Organizations should treat this as a high-priority issue due to the potential for significant business risk.

  • Likely attacker skill level: Low
  • Required access or conditions: Network access
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Incorrect permissions in the x0vncserver component of TigerVNC can allow unauthorized users to view or alter screen content, or cause application failures. This vulnerability poses a significant risk of data compromise and system disruption. Organizations utilizing this software should take immediate steps to address the exposure.

  • Identify all instances of affected software.
  • Restrict network access to the affected component.
  • Apply the vendor fix and verify its implementation.
  • Monitor for related activity.

Frequently asked questions

What is TigerVNC and its primary function?

TigerVNC is a high-performance, cross-platform VNC server and client application. It enables users to remotely access and control graphical desktops on machines running Linux, Windows, or macOS, facilitating remote administration and collaboration.

What type of vulnerability does CVE-2026-34352 represent and what is its weakness class?

CVE-2026-34352 is an insecure permissions vulnerability classified under CWE-732: Incorrect Permission Assignment for Critical Resource. It affects TigerVNC's x0vncserver component.

How are the incorrect permissions exploited in CVE-2026-34352?

In TigerVNC versions prior to 1.16.2, the x0vncserver component incorrectly sets permissions (0777) on shared memory segments used for screen data. This allows any local user to access these segments, enabling them to view, manipulate, or crash the VNC session without authorization.

What is the potential impact of CVE-2026-34352 according to Halo Surface Signal?

Halo Surface Signal classifies this CVE as 'Unlikely' to be exploited externally, as TigerVNC is typically used for internal, private, or secure access rather than direct public internet exposure. However, the vulnerability itself allows unauthorized observation or manipulation of screen contents, potentially leading to information disclosure or system instability.

What are the recommended steps to mitigate CVE-2026-34352?

To address CVE-2026-34352, it is recommended to upgrade TigerVNC to version 1.16.2 or later immediately. Additionally, restrict local system access to trusted users, audit shared memory segments for improper permissions, and consider temporarily disabling x0vncserver on multi-user systems if applicable.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified