{"id":"CVE-2020-26117","details":"In rfb/CSecurityTLS.cxx and rfb/CSecurityTLS.java in TigerVNC before 1.11.0, viewers mishandle TLS certificate exceptions. They store the certificates as authorities, meaning that the owner of a certificate could impersonate any server after a client had added an exception.","modified":"2026-04-16T04:31:00.151962203Z","published":"2020-09-27T04:15:11.650Z","related":["SUSE-SU-2020:2880-1","SUSE-SU-2020:2881-1","SUSE-SU-2020:2882-1","SUSE-SU-2020:2898-1","openSUSE-SU-2020:1666-1","openSUSE-SU-2020:1841-1","openSUSE-SU-2024:10591-1"],"references":[{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00025.html"},{"type":"ADVISORY","url":"https://github.com/TigerVNC/tigervnc/releases/tag/v1.11.0"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00007.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00024.html"},{"type":"REPORT","url":"https://bugzilla.opensuse.org/show_bug.cgi?id=1176733"},{"type":"FIX","url":"https://github.com/TigerVNC/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba"},{"type":"FIX","url":"https://github.com/TigerVNC/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb"},{"type":"FIX","url":"https://github.com/TigerVNC/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b"},{"type":"FIX","url":"https://github.com/TigerVNC/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tigervnc/tigervnc","events":[{"introduced":"0"},{"fixed":"540bfc3278e396321124d4b18a798ac2bc18b6ca"},{"fixed":"20dea801e747318525a5859fe4f37c52b05310cb"},{"fixed":"7399eab79a4365434d26494fa1628ce1eb91562b"},{"fixed":"b30f10c681ec87720cff85d490f67098568a9cba"},{"fixed":"f029745f63ac7d22fb91639b2cb5b3ab56134d6e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.11.0"}]}}],"versions":["v0.0.90","v1.1.90","v1.10.90"],"database_specific":{"vanir_signatures_modified":"2026-04-11T11:23:26Z","vanir_signatures":[{"id":"CVE-2020-26117-19f71fbe","signature_version":"v1","signature_type":"Line","target":{"file":"common/rfb/CSecurityTLS.cxx"},"digest":{"threshold":0.9,"line_hashes":["263214322393408254260605549209686920776","340218197713879364519904928505928323817","265810417532971925276039608667021944840","87970873708132661354644512840402019446","300699054843167153655286684315137057490","164552726582983008666846810611097800591","44615290605528466953362371164006484364","103848164657440654177727747552846674516","152995984252069465373706074680041738024","224188781060234344961706645279913701938","248692748919983500288094581078436711057","174691128926293410565358892221930411903","214238083254559910563304439164533046558","213296741597080508649362002215284469969","143157829155743455154744212000718832466","124914608028022645447878518161198060247","202389399686940422438919541121567111745","154879259351855591937610514540899234054","86156144306735322566613265414823887214","64983589881964372285336756084123892867","29849385229262091254341847817116254117","257498437327476931408350979006736153885","75030434748687170618585101679473643779","176146611924789049808777870681011510928","104666090561362156377636915665421757331","177755207096890515885463460690297722394","70175214386111700195449851238439535491","61989777311364316396425281345691132272","250221114018920324057281303981284176710","307313871574534274878813563327105252677","131436535749357470954019527677490526257","328146917239871589009913792651517393528","179452115654797436825194683809663894280","309920327776155037017954373833707631523","13508452173870920467087194477289560486","304629640896755118783829335041177903214","86928767823511955829968133917688387580","111235542167029993851311340411151454710","81645841122743510593479228142836250763","190021969294927712065409863975059799568","84761604777184184418405348863985527473","230219580313496022869481131829808894356","246487152823262660887901119492191033242","225406243624184470315496388970452546982","83302603859383727813384300730640431519","66417368719008689052096949860666966345","97039647734427964399281093046594510431","279309249801450887729749605230253685076","267181665381862134241477543681541094556","47843624719877106759787086793688485631","2636119635564817466577767689115821376","201387575904897796512926306069928464908","143965408374202549540519150630601185894","40827157563397065192608995555259968693","266931591069126340724896943176313920313","93546517334927694343899834573780244559","198365803604563852760739409792537246455","223604652154849951866199781521286863062","71610483470377247526170603824101751385","108722168639355652159744726559679615326","4414446391156346598771017202005340327","27323057166928396410356996763603314535","211218431164198948075823940241107869221","320601668993721110806643122925865169404","152730948427229885824349151764261802720","52026990640962902289856795886908131879","63604712016446620971815521732643394423","75426374539086321220727477348551745025","85138367514738803171437275417993789613","53302489509048722616022818231248572902","102887284832336077290315771760258538978","7328998931768003638298835777769009670","174734608297700673135715809125294524395","16625777745903634272226653728882268479","216908421977846639795176175660168497540","203745948117592999426904998636585405611","187856409820637445907237918033854963110","288561031059781565136128210592787267143","90592481303161552805733368040086996217","179377746466428180176105515363902806816","34984507469221483754390721683283847356","305314871354220264525228261334441197332","91352138594475261118773591965501346230","258801705487683239539801212219153932233","19484426234212316489985654619432444192","283572624698696957581999389971462936853","287936696848325603457424214164536432786","328163728519969632072940587247571833450","159904244579816374470837565290636687946","158907556302437409789714384082536833080","87919754723724172547907625652001571962"]},"deprecated":false,"source":"https://github.com/tigervnc/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba"},{"id":"CVE-2020-26117-27cba9f8","signature_version":"v1","signature_type":"Function","target":{"function":"checkServerTrusted","file":"java/com/tigervnc/rfb/CSecurityTLS.java"},"source":"https://github.com/tigervnc/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e","deprecated":false,"digest":{"function_hash":"276666865752570552465495491833409124911","length":2641}},{"id":"CVE-2020-26117-2d94e76f","signature_version":"v1","signature_type":"Line","target":{"file":"java/com/tigervnc/rfb/CSecurityTLS.java"},"digest":{"threshold":0.9,"line_hashes":["254879959597166708755377749650092146197","91374251727540154784640120542065135707","317750636556665453140357267196333903036","122034930550491273858260519664642317549","15306066965717648274846281460961221552","8359757768283778176100266673814333688","195594014990822937998606006608676353137","163907564754652202958727677559930791291","191173020480441151243054271238796557056","176391867862463755035176769380039744987","215949152956701877350863480872190827485","301925422789395614728725500503903357093","171141906967346827141715997120599041976","259836959624830035168989233040149512796","171400388409850029316434364067787245533","280797236001931874598265213314956196231","234853621643550317150043400232918937596","298138712047860620118991865280549173326","241867655132983065551386911308344740942","275985508854433839568890994699471561170","37716473888198639734582598260815432593","115638908104793614950864061757061052188","23890399186960892481985154487246799250","112456401072074104998263163674961375355","132613737626536205442413759437815439948","276909342171975476205366415546481182536","262161241997242183815333375110498740128","210386239589110699861056986189035039293","154031391660635096177071401801736552667","262951142028915106348881470456900793118","211404710298499267591154693129600179358","180876876878939480545105054429109936139","221218545074832050248923509876989254863","167930801113009357847765312407235664269","16215466250138313959273349094469010439","302548827383446955325381188304407746119","230607873021703531616651766072869775501","275271691056273547307731678213069818383","52480264368752283306814528045733057384","110094185248068617651578191089652689074","295437726373908906170821333999014637020","159893366148396533924476947028257476592","337655009449511567704292048193555671302","235109380811030652495271224962294868347","313664500469646561696614838650422521822","85071562909927606855282943384190447116","105623375990431245771884164164052012675","34066462780277851660343757683853693274","14256153534036762110284359629725201684","234705357188647279575606479248055096057","2045440066189240568615128474422196585","250483951101915926401103682101526511642","322286450437971710761055480809829416957","338951865573711907685798198207872699889","189271582741122875855675895314226238789","322532572360941536145539758310905975617","252747538684603118245562326705704777590","57774115659019667675187307953677546450","78236115644600910666108049033713959711","328574336174015539613824392791933867233","94978226231476831651657999490819173687","258011737209223364754710918939293936060","301039337978069029157573332249962744751","49878952997896672656256115008628934177","141011388073116832040079848902629628980","209426839997604428257636479502961932511","326376275745100108847494443313026079285","252924066458013103370019354674249438284","96519674172655070622995271013051783950","12588656660915139206624106126851091988","216140370357140389066494044291736249624","10247107177776105081068420504935270357","298262449128677742073543154189804171335","266579077171081317923228257089898474463","186655021405025787473472938203908035627","135288382373364252247293129000320938176","33922577972372784637579595521793618648","86433196583906963845356328707397126959","297343985385585626126475039174990947154","192134324957365557258796984240847509529","259954945552822637932455911528933080032","187790039851367162610372532627211978216","254653553625335318806707780114029310382","253346221738326479658918580967898495721","295296897767744238230610301969502014456","198034381278607021475773071460387823253","210468809876189970164919975811144121437"]},"deprecated":false,"source":"https://github.com/tigervnc/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb"},{"id":"CVE-2020-26117-3cd597da","signature_version":"v1","signature_type":"Function","target":{"function":"CSecurityTLS::setParam","file":"common/rfb/CSecurityTLS.cxx"},"source":"https://github.com/tigervnc/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b","deprecated":false,"digest":{"length":2289,"function_hash":"340027552213134010602828033501919163408"}},{"id":"CVE-2020-26117-43dc9a62","signature_type":"Function","signature_version":"v1","target":{"function":"CSecurityTLS::checkSession","file":"common/rfb/CSecurityTLS.cxx"},"digest":{"length":4628,"function_hash":"80294187960653727781454827179465497854"},"deprecated":false,"source":"https://github.com/tigervnc/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba"},{"id":"CVE-2020-26117-5e926430","signature_version":"v1","signature_type":"Function","target":{"function":"checkServerTrusted","file":"java/com/tigervnc/rfb/CSecurityTLS.java"},"digest":{"length":2641,"function_hash":"276666865752570552465495491833409124911"},"deprecated":false,"source":"https://github.com/tigervnc/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb"},{"id":"CVE-2020-26117-6d864444","signature_type":"Line","signature_version":"v1","target":{"file":"common/rfb/CSecurityTLS.cxx"},"digest":{"threshold":0.9,"line_hashes":["263214322393408254260605549209686920776","340218197713879364519904928505928323817","265810417532971925276039608667021944840","87970873708132661354644512840402019446","300699054843167153655286684315137057490","164552726582983008666846810611097800591","44615290605528466953362371164006484364","103848164657440654177727747552846674516","152995984252069465373706074680041738024","224188781060234344961706645279913701938","248692748919983500288094581078436711057","174691128926293410565358892221930411903","214238083254559910563304439164533046558","213296741597080508649362002215284469969","143157829155743455154744212000718832466","124914608028022645447878518161198060247","202389399686940422438919541121567111745","154879259351855591937610514540899234054","86156144306735322566613265414823887214","64983589881964372285336756084123892867","29849385229262091254341847817116254117","257498437327476931408350979006736153885","75030434748687170618585101679473643779","176146611924789049808777870681011510928","104666090561362156377636915665421757331","177755207096890515885463460690297722394","70175214386111700195449851238439535491","61989777311364316396425281345691132272","250221114018920324057281303981284176710","307313871574534274878813563327105252677","131436535749357470954019527677490526257","328146917239871589009913792651517393528","179452115654797436825194683809663894280","309920327776155037017954373833707631523","13508452173870920467087194477289560486","304629640896755118783829335041177903214","86928767823511955829968133917688387580","111235542167029993851311340411151454710","81645841122743510593479228142836250763","190021969294927712065409863975059799568","84761604777184184418405348863985527473","230219580313496022869481131829808894356","246487152823262660887901119492191033242","225406243624184470315496388970452546982","83302603859383727813384300730640431519","66417368719008689052096949860666966345","97039647734427964399281093046594510431","279309249801450887729749605230253685076","267181665381862134241477543681541094556","47843624719877106759787086793688485631","2636119635564817466577767689115821376","201387575904897796512926306069928464908","143965408374202549540519150630601185894","40827157563397065192608995555259968693","266931591069126340724896943176313920313","93546517334927694343899834573780244559","198365803604563852760739409792537246455","223604652154849951866199781521286863062","71610483470377247526170603824101751385","108722168639355652159744726559679615326","4414446391156346598771017202005340327","27323057166928396410356996763603314535","211218431164198948075823940241107869221","320601668993721110806643122925865169404","152730948427229885824349151764261802720","52026990640962902289856795886908131879","63604712016446620971815521732643394423","75426374539086321220727477348551745025","85138367514738803171437275417993789613","53302489509048722616022818231248572902","102887284832336077290315771760258538978","7328998931768003638298835777769009670","174734608297700673135715809125294524395","16625777745903634272226653728882268479","216908421977846639795176175660168497540","203745948117592999426904998636585405611","187856409820637445907237918033854963110","288561031059781565136128210592787267143","90592481303161552805733368040086996217","179377746466428180176105515363902806816","34984507469221483754390721683283847356","305314871354220264525228261334441197332","91352138594475261118773591965501346230","258801705487683239539801212219153932233","19484426234212316489985654619432444192","283572624698696957581999389971462936853","287936696848325603457424214164536432786","328163728519969632072940587247571833450","159904244579816374470837565290636687946","158907556302437409789714384082536833080","87919754723724172547907625652001571962"]},"deprecated":false,"source":"https://github.com/tigervnc/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b"},{"id":"CVE-2020-26117-798fe38a","signature_version":"v1","signature_type":"Line","target":{"file":"java/com/tigervnc/rfb/CSecurityTLS.java"},"source":"https://github.com/tigervnc/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["254879959597166708755377749650092146197","91374251727540154784640120542065135707","317750636556665453140357267196333903036","122034930550491273858260519664642317549","15306066965717648274846281460961221552","8359757768283778176100266673814333688","195594014990822937998606006608676353137","163907564754652202958727677559930791291","191173020480441151243054271238796557056","176391867862463755035176769380039744987","215949152956701877350863480872190827485","301925422789395614728725500503903357093","171141906967346827141715997120599041976","259836959624830035168989233040149512796","171400388409850029316434364067787245533","280797236001931874598265213314956196231","234853621643550317150043400232918937596","298138712047860620118991865280549173326","241867655132983065551386911308344740942","275985508854433839568890994699471561170","37716473888198639734582598260815432593","115638908104793614950864061757061052188","23890399186960892481985154487246799250","112456401072074104998263163674961375355","132613737626536205442413759437815439948","276909342171975476205366415546481182536","262161241997242183815333375110498740128","210386239589110699861056986189035039293","154031391660635096177071401801736552667","262951142028915106348881470456900793118","211404710298499267591154693129600179358","180876876878939480545105054429109936139","221218545074832050248923509876989254863","167930801113009357847765312407235664269","16215466250138313959273349094469010439","302548827383446955325381188304407746119","230607873021703531616651766072869775501","275271691056273547307731678213069818383","52480264368752283306814528045733057384","110094185248068617651578191089652689074","295437726373908906170821333999014637020","159893366148396533924476947028257476592","337655009449511567704292048193555671302","235109380811030652495271224962294868347","313664500469646561696614838650422521822","85071562909927606855282943384190447116","105623375990431245771884164164052012675","34066462780277851660343757683853693274","14256153534036762110284359629725201684","234705357188647279575606479248055096057","2045440066189240568615128474422196585","250483951101915926401103682101526511642","322286450437971710761055480809829416957","338951865573711907685798198207872699889","189271582741122875855675895314226238789","322532572360941536145539758310905975617","252747538684603118245562326705704777590","57774115659019667675187307953677546450","78236115644600910666108049033713959711","328574336174015539613824392791933867233","94978226231476831651657999490819173687","258011737209223364754710918939293936060","301039337978069029157573332249962744751","49878952997896672656256115008628934177","141011388073116832040079848902629628980","209426839997604428257636479502961932511","326376275745100108847494443313026079285","252924066458013103370019354674249438284","96519674172655070622995271013051783950","12588656660915139206624106126851091988","216140370357140389066494044291736249624","10247107177776105081068420504935270357","298262449128677742073543154189804171335","266579077171081317923228257089898474463","186655021405025787473472938203908035627","135288382373364252247293129000320938176","33922577972372784637579595521793618648","86433196583906963845356328707397126959","297343985385585626126475039174990947154","192134324957365557258796984240847509529","259954945552822637932455911528933080032","187790039851367162610372532627211978216","254653553625335318806707780114029310382","253346221738326479658918580967898495721","295296897767744238230610301969502014456","198034381278607021475773071460387823253","210468809876189970164919975811144121437"]}},{"id":"CVE-2020-26117-79afcdd1","signature_type":"Function","signature_version":"v1","target":{"function":"verifyHostname","file":"java/com/tigervnc/rfb/CSecurityTLS.java"},"digest":{"length":1503,"function_hash":"22395545444703093718200764744037241309"},"deprecated":false,"source":"https://github.com/tigervnc/tigervnc/commit/20dea801e747318525a5859fe4f37c52b05310cb"},{"id":"CVE-2020-26117-8a84b8ec","signature_version":"v1","signature_type":"Function","target":{"function":"verifyHostname","file":"java/com/tigervnc/rfb/CSecurityTLS.java"},"source":"https://github.com/tigervnc/tigervnc/commit/f029745f63ac7d22fb91639b2cb5b3ab56134d6e","deprecated":false,"digest":{"length":1503,"function_hash":"22395545444703093718200764744037241309"}},{"id":"CVE-2020-26117-ac00d44c","signature_version":"v1","signature_type":"Function","target":{"function":"CSecurityTLS::setParam","file":"common/rfb/CSecurityTLS.cxx"},"source":"https://github.com/tigervnc/tigervnc/commit/b30f10c681ec87720cff85d490f67098568a9cba","deprecated":false,"digest":{"length":2289,"function_hash":"340027552213134010602828033501919163408"}},{"id":"CVE-2020-26117-df851afe","signature_version":"v1","signature_type":"Function","target":{"function":"CSecurityTLS::checkSession","file":"common/rfb/CSecurityTLS.cxx"},"digest":{"length":4628,"function_hash":"80294187960653727781454827179465497854"},"deprecated":false,"source":"https://github.com/tigervnc/tigervnc/commit/7399eab79a4365434d26494fa1628ce1eb91562b"}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-26117.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}