Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
AC:H reflects the abnormal caller contract prerequisite; C:L added because adjacent memory disclosure is described as a realistic (if unreliable) outcome, overriding the vendor's C:N.
Primary rating from Vendor (securin).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
2DescriptionNVD
UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to wcslen() before any bounds check. If the caller provides a wide-character buffer that is not properly NUL-terminated, wcslen() reads past the end of the buffer until it encounters a NUL wchar, resulting in an out-of-bounds read. Under typical Win32 API usage this requires an abnormal caller contract. Impact is limited to a potential information disclosure from adjacent memory regions or a process crash (denial of service) if the over-read crosses a page boundary.
AnalysisAI
Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the VNC server process or leak adjacent memory content via the vncWc2Mb() wide-string conversion helper in rfb/dh.cpp at line 204. The flaw is triggered when wcslen() is called on a caller-supplied WCHAR pointer without a preceding bounds check, enabling memory over-reads if the buffer lacks proper NUL termination. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires possession of valid VNC authentication credentials - the CVSS PR:L metric confirms low-privilege authenticated access is a prerequisite before the vulnerable vncWc2Mb() function can be reached. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, score 4.3) places this at Medium severity with network reachability and a low-privilege requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with valid VNC credentials authenticates to an UltraVNC server and sends a crafted RFB protocol message containing a wide-character string field that lacks proper NUL termination, causing the server's vncWc2Mb() function to invoke wcslen() past the buffer boundary. Depending on memory layout at the time of the over-read, the outcome is either a server process crash when the read crosses a page boundary (denial of service) or silent consumption of adjacent memory content until a null wide-character is encountered. … |
| Remediation | Monitor the UltraVNC vendor site at https://uvnc.com/ and the upstream GitHub repository at https://github.com/ultravnc/UltraVNC for a patched release beyond version 1.8.2.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow
UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow
Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac
Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r
Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa
Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in
Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h
Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup
UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun
UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40878
GHSA-f9fh-23qv-g394