CVE-2023-43826 HIGH

CVE-2023-43826: Apache Guacamole: Integer overflow in handling of VNC image buffers

Vendor Apache Software Foundation

Product Apache Guacamole

Weakness CWE-190

Published December 19, 2023

Last update February 25, 2026

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

Description

Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially-crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.5.4, which fixes this issue.

Key dates

Disclosure timeline

December 19, 2023 CVE published

February 25, 2026 Record updated