FERRAMENTAS LINUX: The Hidden Danger in Your VNC Server (And How to Lock It Down Forever)

Someone on your server could be watching your screen right now. That's CVE-2026-34352. Here's how to check, patch, and block it on any Linux distro – Ubuntu, Rocky, or SUSE. Bash script + AppArmor included.

It sounds like a movie plot: someone on the same server as you silently watches your screen, captures your admin session, or even injects fake commands into your remote view. But for Linux admins, this is a real risk if you use TigerVNC.

A recent update (tracked as CVE-2026-34352) fixed a nasty permissions flaw. In simple terms, a regular user on the machine could abuse poor permissions to spy on another user’s VNC session or manipulate what they see.

While the patch is fresh, the lesson is eternal: Never trust default VNC permissions. This guide shows you how to check, fix, and prevent this issue on any distro—today and years from now.

How to Check if You Are Vulnerable (Ubuntu, Rocky Linux, SUSE)

This vulnerability exists if multiple users share a server and TigerVNC’s socket or shared memory files have or writable permissions.

Run these commands on any machine running TigerVNC:

1. Check Socket Permissions

ls -la /tmp/.X11-unix/ | grep vnc
# If you see "rw-rw-rw-" (world writable) or "rw-r--r--" (world readable), you are vulnerable.

2. Check for Shared Memory Files

ls -la /dev/shm/ | grep vnc
# Look for files owned by another user that you can read.

3. Test Real-World Access (as a low-privilege user)

# Try to connect to another user's VNC session
vncviewer -shared localhost:1
# If you see their screen without a password, you have a problem.

Automation Script to Apply the Fix (Bash – Ubuntu, Rocky, SUSE)

This script detects your distro, updates TigerVNC, and enforces secure permissions. Save as :

#!/bin/bash
# Hardens TigerVNC against CVE-2026-34352 style permission flaws

set -e

echo "🔒 Starting TigerVNC permission fix..."

# Detect distro
if [ -f /etc/os-release ]; then
    . /etc/os-release
    OS=$ID
    VER=$VERSION_ID
fi

# Apply distro-specific patch
case $OS in
    ubuntu|debian)
        sudo apt update && sudo apt install --only-upgrade tigervnc-common tigervnc-standalone-server -y
        ;;
    rhel|centos|rocky|almalinux)
        sudo dnf update tigervnc-server tigervnc -y
        ;;
    suse|opensuse-leap)
        sudo zypper patch --cve=CVE-2026-34352 || sudo zypper update tigervnc -y
        ;;
    *)
        echo "⚠️ Unsupported OS. Manually update tigervnc."
        exit 1
        ;;
esac

# Post-update hardening: Restrict socket permissions
sudo find /tmp/.X11-unix -name "*vnc*" -exec chmod 750 {} \;
sudo find /dev/shm -name "*vnc*" -exec chmod 750 {} \;

echo "✅ Update complete. Permissions tightened. Restart VNC server."

Run it:

chmod +x fix-vnc-perms.sh
sudo ./fix-vnc-perms.sh

Alternative Mitigation (If You Can’t Update Now)

No reboot? No package update allowed? Block the attack with or .

Option A: AppArmor Profile (Prevents unauthorized VNC socket access)

Create /etc/apparmor.d/local/usr.bin.vncserver:

/usr/bin/vncserver {
  # Allow only the owning user to access the socket
  deny /tmp/.X11-unix/X[0-9] rwkl,
  deny /dev/shm/vnc* rwkl,
}

Then reload: sudo apparmor_parser -r /etc/apparmor.d/usr.bin.vncserver

Option B: iptables (Limit VNC to localhost only – forces SSH tunnel)

# Block external VNC access
sudo iptables -A INPUT -p tcp --dport 5900:5910 -j DROP
# Allow only localhost
sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 5900:5910 -j ACCEPT