Aggregates CVE and security vulnerability intelligence across all spice-gtk_project-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk path handling, vendor risk buffer overflow, and vendor risk input validation and related problems; some flaws may lead to vendor impact memory corruption.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2017-12194 | A flaw was found in the way spice-client processed certain messages sent from the server. An attacker, having control of malicious spice-server, could use this flaw to crash the client or execute arbitrary code with permissions of the user running the client. spice-gtk versions through 0.34 are believed to be vulnerable. | [email protected] | 9.8 | 5.54% | 2018-03-14 | 2026-06-16 |
| CVE-2016-3066 | The spice-gtk widget allows remote authenticated users to obtain information from the host clipboard. | [email protected] | 6.5 | 1.03% | 2017-06-06 | 2026-06-16 |
| CVE-2013-4324 | spice-gtk 0.14, and possibly other versions, invokes the polkit authority using the insecure polkit_unix_process_new API function, which allows local users to bypass intended access restrictions by leveraging a PolkitUnixProcess PolkitSubject race condition via a (1) setuid process or (2) pkexec process, a related issue to CVE-2013-4288. | [email protected] | 4.6 | 0.38% | 2013-10-03 | 2026-06-16 |