Skip to main content

UltraVNC Repeater CVE-2026-7828

| EUVDEUVD-2026-40880 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-07-01 securin GHSA-hpq9-2mqh-7fg9
5.3
CVSS 3.1 · Vendor: securin
Share

Severity by source

Vendor (securin) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
5.3 MEDIUM

Network-reachable HTTP port with no authentication; bounded overflow precludes code execution, limiting impact to partial availability loss only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorVendor: securin

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 05:25 vuln.today

DescriptionCVE.org

UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) + strlen(line)), where line is derived from HTTP request URIs. If strlen(line) is sufficiently large, the addition overflows to a value smaller than sizeof(struct LIST), causing a heap allocation smaller than required. The subsequent strcpy of the full string into the undersized allocation produces a heap buffer overflow. In the current implementation this overflow is bounded by the HTTP receive buffer size (WI_RXBUFSIZE = 153600 bytes, well below SIZE_MAX on 32-bit builds), limiting practical exploitability to a partial heap write. A remote unauthenticated attacker can trigger the theoretical overflow path by sending a maximally-sized URI in an HTTP request to the repeater HTTP port.

AnalysisAI

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging function win_log(), where a malloc size calculation wraps around on 32-bit builds when processing oversized URIs, producing an undersized heap allocation followed by an unchecked strcpy. Remote unauthenticated attackers can trigger this path by sending a maximally-sized URI to the repeater HTTP port, with practical impact bounded by the 153,600-byte HTTP receive buffer and currently assessed at availability disruption rather than reliable code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-reachable UltraVNC Repeater HTTP port
Delivery
Send HTTP request with maximally-sized URI (~153 KB)
Exploit
Integer overflow in malloc() size calculation
Execution
Heap allocation undersized for URI data
Persist
Unchecked strcpy overwrites adjacent heap memory
Impact
Repeater process crash (availability disruption)

Vulnerability AssessmentAI

Exploitation The UltraVNC Repeater must be running on a 32-bit build for the integer overflow to be practically reachable, since on 64-bit builds SIZE_MAX is orders of magnitude larger than the maximum buffer the HTTP receiver can supply (WI_RXBUFSIZE = 153,600 bytes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 score of 5.3 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L accurately captures the network-reachable, zero-authentication attack surface while limiting impact to availability only. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to the UltraVNC repeater HTTP port sends an HTTP GET request with a URI string sized close to the 153,600-byte receive buffer limit. The win_log() function passes this URI as the line argument, the sizeof(struct LIST) + strlen(line) addition overflows on a 32-bit build to a small value, malloc returns an undersized chunk, and the subsequent strcpy writes up to approximately 153 KB of attacker-controlled data past the chunk boundary into the heap - most likely corrupting adjacent heap metadata or data structures and crashing the repeater process.
Remediation No vendor-released patch version has been independently confirmed from the available references at time of analysis; users should monitor the UltraVNC vendor site (https://uvnc.com/) and the GitHub repository (https://github.com/ultravnc/UltraVNC) for a release beyond 1.8.2.2 that addresses this issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2026-4962 MEDIUM POC
6.4 Mar 27

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2026-7840 CRITICAL
9.3 Jul 01

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac

CVE-2026-7839 CRITICAL
9.1 Jul 01

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r

CVE-2026-7838 HIGH
8.7 Jul 01

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa

CVE-2026-7831 HIGH
7.6 Jul 01

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in

CVE-2026-7830 HIGH
7.4 Jul 01

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h

CVE-2026-7829 HIGH
7.2 Jul 01

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup

CVE-2026-44041 MEDIUM
6.5 Jul 01

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V

CVE-2026-44040 MEDIUM
6.5 Jul 01

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr

CVE-2026-44042 LOW
3.7 Jul 01

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti

Share

CVE-2026-7828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy