CVE-2023-43826

HIGH 7.5

Apache Guacamole: Integer overflow in handling of VNC image buffers

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. If a user connects to a malicious or compromised VNC server, specially-crafted data could result in memory corruption, possibly allowing arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.5.4, which fixes this issue.

CWE	CWE-190
Vendor	apache software foundation
Product	apache guacamole
Published	Dec 19, 2023
Last Updated	Feb 25, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache guacamole

Be the first to know when new high vulnerabilities affecting apache software foundation apache guacamole are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Apache Software Foundation / Apache Guacamole

0 ≤ 1.5.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/23gzwftpfgtq97tj6ttmbclry53kmwv6 openwall.com: http://www.openwall.com/lists/oss-security/2023/12/19/4

Credits

🔍 Joseph Surin (Elttam) 🔍 Matt Jones (Elttam)