Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable web GUI (AV:N) with a deterministic overflow (AC:L), but admin login is mandatory (PR:H) and no user interaction; code execution yields full C:H/I:H/A:H on the host.
Primary rating from Vendor (securin).
CVSS VectorVendor: securin
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpy_s copies a rule token into temp1[rule1] (25-byte destination) or temp2/temp3 (16-byte destination), the code unconditionally writes a NUL terminator at temp1[rule1][len] = 0 without clamping len to the destination size. When an authenticated administrator saves a rule with a token length equal to or greater than the destination size, the NUL byte is written one or more bytes past the end of the stack-allocated array, corrupting adjacent stack data. An attacker who has obtained admin credentials (including via CVE-2026-7839 default password) can trigger this to gain code execution on the repeater host.
AnalysisAI
Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrupt stack memory via the web GUI allow/deny rule parser, ultimately achieving code execution on the repeater host. The flaw (CWE-787, out-of-bounds write) is reachable only after admin login, but that barrier is significantly weakened when chained with CVE-2026-7839 (default password), which can hand an attacker the required credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires authenticated administrator access to the UltraVNC Repeater web GUI (CVSS PR:H) and the ability to save an allow/deny rule whose token length is equal to or greater than the destination buffer size - 25 bytes for temp1[rule1] or 16 bytes for temp2/temp3 in webgui/settings.c. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base 7.2 High) is internally consistent with the description: network-reachable web GUI, low complexity, but high privileges (admin) required, with full C/I/A impact from code execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker first obtains repeater admin access - for example by logging in with the default password (CVE-2026-7839) - then opens the web GUI and saves an allow/deny rule whose token is crafted to meet or exceed the 25- or 16-byte buffer size. The out-of-bounds NUL write corrupts adjacent stack data and, with a suitably arranged payload, is escalated to arbitrary code execution on the repeater host. … |
| Remediation | No vendor-released patch version was identified at time of analysis; the referenced advisory link (https://uvnc.com/) is the vendor homepage rather than a fixed-release note, so administrators should check https://uvnc.com/ and https://github.com/ultravnc/UltraVNC for a release above 1.8.2.2 and upgrade as soon as one is confirmed. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all UltraVNC Repeater installations running version 1.8.2.2 or earlier; confirm CVE-2026-7839 default credentials are not in use; disable the web GUI if the Repeater service is not actively required. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow
UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow
Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac
Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r
Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa
Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in
Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h
Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V
UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun
UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti
Same weakness CWE-787 – Out-of-bounds Write
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40881
GHSA-fxj2-5q9g-wmp9