Skip to main content

UltraVNC CVE-2026-7831

| EUVDEUVD-2026-40883 HIGH
Off-by-one Error (CWE-193)
2026-07-01 securin GHSA-38w7-mq68-3h8q
7.6
CVSS 3.1 · Vendor: securin
Share

Severity by source

Vendor (securin) PRIMARY
7.6 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
vuln.today AI
7.1 HIGH

Attacker-controlled server needs no privileges (PR:N) but victim must connect (UI:R); single-NUL primitive yields reliable DoS (A:H) and minor integrity impact, no realistic confidentiality leak (C:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorVendor: securin

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High

Lifecycle Timeline

3
Re-analysis Queued
Jul 01, 2026 - 05:22 vuln.today
cvss_changed
CVSS changed
Jul 01, 2026 - 05:22 NVD
7.5 (HIGH) 7.6 (HIGH)
Analysis Generated
Jul 01, 2026 - 05:21 vuln.today

DescriptionCVE.org

UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes the NUL terminator at buf[length], i.e., _dn[2024], one byte past the end of the stack buffer. A malicious VNC server can trigger this condition by advertising a desktop name of length 2024 in its ServerInit message. On release builds without stack canaries the single-byte NUL overwrite adjacent stack data. On builds with /GS stack protection the canary is corrupted and the process terminates, resulting in denial of service. User interaction (connecting the viewer to the malicious server) is required.

AnalysisAI

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in the RFB ServerInit message handler, where a malicious VNC server advertising a desktop name of exactly 2024 bytes forces ReadString to write a NUL terminator at _dn[2024], one byte past a 2024-byte stack buffer. A rogue or compromised server can crash victims who connect to it (reliable process termination on /GS-hardened builds) and potentially corrupt adjacent stack data on canary-less release builds. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Stand up malicious VNC server
Delivery
Lure victim to connect viewer
Exploit
Send ServerInit with name length 2024
Execution
ReadString writes NUL at _dn[2024]
Persist
Off-by-one corrupts stack
Impact
Viewer process crashes (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively connect their UltraVNC viewer (<=1.8.2.2) to an attacker-controlled or compromised VNC server; it cannot be triggered against a viewer that never initiates a session. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a client-side, server-triggered flaw: the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H, base 7.5) captures that no attacker-side privileges are needed but the victim must connect (UI:R), and that the dominant, reliable impact is availability (A:H) via process crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious VNC server (or hijacks/redirects a legitimate connection) that emits a ServerInit message declaring a desktop name of exactly 2024 bytes. When a victim points their UltraVNC viewer (<=1.8.2.2) at that server, ReadString writes a NUL one byte past _dn[2024], crashing the viewer on /GS builds or corrupting adjacent stack memory otherwise. …
Remediation No vendor-released patch version is identified in the provided data - monitor the vendor site https://uvnc.com/ and the source repository https://github.com/ultravnc/UltraVNC for a release above 1.8.2.2 that corrects the ServerInit name-length handling, and upgrade to that build once published (do not rely on an assumed version number). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all systems running UltraVNC viewer version 1.8.2.2 or earlier. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2026-4962 MEDIUM POC
6.4 Mar 27

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2026-7840 CRITICAL
9.3 Jul 01

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac

CVE-2026-7839 CRITICAL
9.1 Jul 01

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r

CVE-2026-7838 HIGH
8.7 Jul 01

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa

CVE-2026-7830 HIGH
7.4 Jul 01

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h

CVE-2026-7829 HIGH
7.2 Jul 01

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup

CVE-2026-44041 MEDIUM
6.5 Jul 01

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V

CVE-2026-44040 MEDIUM
6.5 Jul 01

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr

CVE-2026-7828 MEDIUM
5.3 Jul 01

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun

CVE-2026-44042 LOW
3.7 Jul 01

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti

Share

CVE-2026-7831 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy