Skip to main content

UltraVNC Repeater EUVDEUVD-2026-40881

| CVE-2026-7829 HIGH
Out-of-bounds Write (CWE-787)
2026-07-01 securin GHSA-fxj2-5q9g-wmp9
7.2
CVSS 3.1 · Vendor: securin
Share

Severity by source

Vendor (securin) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable web GUI (AV:N) with a deterministic overflow (AC:L), but admin login is mandatory (PR:H) and no user interaction; code execution yields full C:H/I:H/A:H on the host.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorVendor: securin

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 05:22 vuln.today

DescriptionCVE.org

UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpy_s copies a rule token into temp1[rule1] (25-byte destination) or temp2/temp3 (16-byte destination), the code unconditionally writes a NUL terminator at temp1[rule1][len] = 0 without clamping len to the destination size. When an authenticated administrator saves a rule with a token length equal to or greater than the destination size, the NUL byte is written one or more bytes past the end of the stack-allocated array, corrupting adjacent stack data. An attacker who has obtained admin credentials (including via CVE-2026-7839 default password) can trigger this to gain code execution on the repeater host.

AnalysisAI

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrupt stack memory via the web GUI allow/deny rule parser, ultimately achieving code execution on the repeater host. The flaw (CWE-787, out-of-bounds write) is reachable only after admin login, but that barrier is significantly weakened when chained with CVE-2026-7839 (default password), which can hand an attacker the required credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain repeater admin credentials (e.g. default password)
Delivery
Log into web GUI management interface
Exploit
Save allow/deny rule with oversized token
Execution
Trigger out-of-bounds NUL write in settings.c parser
Persist
Corrupt adjacent stack data
Impact
Achieve code execution on repeater host

Vulnerability AssessmentAI

Exploitation Exploitation requires authenticated administrator access to the UltraVNC Repeater web GUI (CVSS PR:H) and the ability to save an allow/deny rule whose token length is equal to or greater than the destination buffer size - 25 bytes for temp1[rule1] or 16 bytes for temp2/temp3 in webgui/settings.c. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base 7.2 High) is internally consistent with the description: network-reachable web GUI, low complexity, but high privileges (admin) required, with full C/I/A impact from code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker first obtains repeater admin access - for example by logging in with the default password (CVE-2026-7839) - then opens the web GUI and saves an allow/deny rule whose token is crafted to meet or exceed the 25- or 16-byte buffer size. The out-of-bounds NUL write corrupts adjacent stack data and, with a suitably arranged payload, is escalated to arbitrary code execution on the repeater host. …
Remediation No vendor-released patch version was identified at time of analysis; the referenced advisory link (https://uvnc.com/) is the vendor homepage rather than a fixed-release note, so administrators should check https://uvnc.com/ and https://github.com/ultravnc/UltraVNC for a release above 1.8.2.2 and upgrade as soon as one is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all UltraVNC Repeater installations running version 1.8.2.2 or earlier; confirm CVE-2026-7839 default credentials are not in use; disable the web GUI if the Repeater service is not actively required. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2026-4962 MEDIUM POC
6.4 Mar 27

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2026-7840 CRITICAL
9.3 Jul 01

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac

CVE-2026-7839 CRITICAL
9.1 Jul 01

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r

CVE-2026-7838 HIGH
8.7 Jul 01

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa

CVE-2026-7831 HIGH
7.6 Jul 01

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in

CVE-2026-7830 HIGH
7.4 Jul 01

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h

CVE-2026-44041 MEDIUM
6.5 Jul 01

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V

CVE-2026-44040 MEDIUM
6.5 Jul 01

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr

CVE-2026-7828 MEDIUM
5.3 Jul 01

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun

CVE-2026-44042 LOW
3.7 Jul 01

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti

Share

EUVD-2026-40881 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy