TigerVNC, a suite of VNC servers and clients used for remote desktop access, and the X.Org X server's xwayland component have multiple vulnerabilities. CVE-2026-33999 is an integer underflow in XKB compatibility map handling causing denial of service. CVE-2026-34001 is a use-after-free vulnerability that may cause server crashes and memory corruption. CVE-2026-34003 involves out-of-bounds memory access leading to information exposure and denial of service. CVE-2026-34352 affects TigerVNC's x0vncserver, allowing information disclosure, data manipulation, and denial of service due to incorrect permissions. These vulnerabilities are addressed in Red Hat Enterprise Linux 8 updates. The advisory references Red Hat Security Advisory RHSA-2026:13414 for detailed patch information.

The vulnerabilities can lead to denial of service conditions, server crashes, potential memory corruption, information disclosure, and unauthorized data manipulation. These impacts affect the confidentiality, integrity, and availability of systems running TigerVNC and X.Org X server components on affected Red Hat Enterprise Linux versions. No exploits in the wild have been reported, but the issues pose a high security risk if left unpatched.

Red Hat has released an important security update for TigerVNC and related X.Org X server components in Red Hat Enterprise Linux 8. Users should apply the update tigervnc-1.15.0-9.el8_10 and associated packages as detailed in Red Hat Advisory RHSA-2026:13414. Instructions for applying the update are available at https://access.redhat.com/articles/11258. Applying this update remediates the described vulnerabilities. No additional mitigation steps are specified or required by the vendor.