Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Attacker-controlled server needs no privileges (PR:N) but victim must connect (UI:R); single-NUL primitive yields reliable DoS (A:H) and minor integrity impact, no realistic confidentiality leak (C:N).
Primary rating from Vendor (securin).
CVSS VectorVendor: securin
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H
Lifecycle Timeline
3DescriptionCVE.org
UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes the NUL terminator at buf[length], i.e., _dn[2024], one byte past the end of the stack buffer. A malicious VNC server can trigger this condition by advertising a desktop name of length 2024 in its ServerInit message. On release builds without stack canaries the single-byte NUL overwrite adjacent stack data. On builds with /GS stack protection the canary is corrupted and the process terminates, resulting in denial of service. User interaction (connecting the viewer to the malicious server) is required.
AnalysisAI
Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in the RFB ServerInit message handler, where a malicious VNC server advertising a desktop name of exactly 2024 bytes forces ReadString to write a NUL terminator at _dn[2024], one byte past a 2024-byte stack buffer. A rogue or compromised server can crash victims who connect to it (reliable process termination on /GS-hardened builds) and potentially corrupt adjacent stack data on canary-less release builds. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively connect their UltraVNC viewer (<=1.8.2.2) to an attacker-controlled or compromised VNC server; it cannot be triggered against a viewer that never initiates a session. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a client-side, server-triggered flaw: the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H, base 7.5) captures that no attacker-side privileges are needed but the victim must connect (UI:R), and that the dominant, reliable impact is availability (A:H) via process crash. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious VNC server (or hijacks/redirects a legitimate connection) that emits a ServerInit message declaring a desktop name of exactly 2024 bytes. When a victim points their UltraVNC viewer (<=1.8.2.2) at that server, ReadString writes a NUL one byte past _dn[2024], crashing the viewer on /GS builds or corrupting adjacent stack memory otherwise. … |
| Remediation | No vendor-released patch version is identified in the provided data - monitor the vendor site https://uvnc.com/ and the source repository https://github.com/ultravnc/UltraVNC for a release above 1.8.2.2 that corrects the ServerInit name-length handling, and upgrade to that build once published (do not rely on an assumed version number). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and document all systems running UltraVNC viewer version 1.8.2.2 or earlier. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow
UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow
Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac
Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r
Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa
Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h
Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup
Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V
UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun
UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti
Same weakness CWE-193 – Off-by-one Error
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40883
GHSA-38w7-mq68-3h8q