Skip to main content

UltraVNC EUVDEUVD-2026-40884

| CVE-2026-7838 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-07-01 securin GHSA-wxqv-4fpj-f62j
8.7
CVSS 4.0 · Vendor: securin
Share

Severity by source

Vendor (securin) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Network-reachable pre-auth flaw (AV:N/PR:N) but victim must initiate the viewer connection (UI:R); heap corruption enabling code execution as the user gives C/I/A:H, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorVendor: securin

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jul 01, 2026 - 05:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 01, 2026 - 05:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 01, 2026 - 05:22 vuln.today
cvss_changed
CVSS changed
Jul 01, 2026 - 05:22 NVD
8.8 (HIGH) 8.7 (HIGH)
Analysis Generated
Jul 01, 2026 - 05:21 vuln.today

DescriptionCVE.org

UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. In vncviewer/ClientConnection.cpp, the 4-byte network-supplied reasonLen field (type CARD32) is passed as reasonLen+1 to CheckBufferSize(). Because both operands are unsigned 32-bit, a reasonLen of 0xFFFFFFFF overflows to 0, causing CheckBufferSize to allocate only 256 bytes. The subsequent ReadString(m_netbuf, reasonLen) call then performs ReadExact for the original 4 GiB length into that 256-byte heap buffer. This overflow is reachable via rfbConnFailed (auth-scheme negotiation) and rfbVncAuthFailed (post-handshake) message types without successful authentication. A malicious VNC server, or any man-in-the-middle on the RFB stream, can trigger this condition when the victim viewer connects, potentially resulting in remote code execution as the user running the viewer. The crash was confirmed with AddressSanitizer on a portable reproduction harness (heap-buffer-overflow WRITE at offset 256).

AnalysisAI

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB failure-response parser: a malicious or man-in-the-middle VNC server can send a reasonLen of 0xFFFFFFFF that wraps to 0 during buffer sizing, then stream 4 GiB into a 256-byte heap allocation. The flaw is reachable pre-authentication through connection-failure and auth-failure messages, so merely connecting a viewer to an attacker-controlled endpoint can corrupt the heap and potentially execute code as the user running the viewer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure victim viewer to malicious/MITM RFB endpoint
Delivery
Send rfbConnFailed/rfbVncAuthFailed with reasonLen 0xFFFFFFFF
Exploit
Integer overflow shrinks allocation to 256 bytes
Execution
ReadExact writes ~4GiB past heap buffer
Persist
Corrupt heap for control flow
Impact
Execute code as viewer user

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to actively initiate an outbound UltraVNC viewer connection to an attacker-controlled endpoint - either a malicious VNC server or a man-in-the-middle positioned on the RFB stream (UI:P, passive user interaction). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H, score 8.7) is internally consistent with the description: network-reachable, low complexity, no privileges, but requiring passive user interaction (UI:P) because the victim must initiate an outbound viewer connection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up a malicious VNC server (or interposes as a man-in-the-middle on an existing RFB session) and induces a victim to point their UltraVNC viewer at it - for example via a support link, a spoofed internal host, or ARP/DNS redirection. During the pre-authentication handshake the server returns an rfbConnFailed or rfbVncAuthFailed message with reasonLen=0xFFFFFFFF, overflowing the size calculation and writing past a 256-byte heap buffer in the victim's viewer, corrupting the heap toward code execution as the connecting user. …
Remediation No vendor-released patch or fixed version number was identified in the provided data, so the exact upgrade target cannot be cited yet - monitor the vendor advisory at https://uvnc.com/ and the source repository at https://github.com/ultravnc/UltraVNC for a release above 1.8.2.2 and upgrade viewers immediately once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running UltraVNC Viewer through version 1.8.2.2 and implement firewall rules restricting VNC connections to pre-approved trusted endpoints only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2026-4962 MEDIUM POC
6.4 Mar 27

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2026-7840 CRITICAL
9.3 Jul 01

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac

CVE-2026-7839 CRITICAL
9.1 Jul 01

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r

CVE-2026-7831 HIGH
7.6 Jul 01

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in

CVE-2026-7830 HIGH
7.4 Jul 01

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h

CVE-2026-7829 HIGH
7.2 Jul 01

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup

CVE-2026-44041 MEDIUM
6.5 Jul 01

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V

CVE-2026-44040 MEDIUM
6.5 Jul 01

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr

CVE-2026-7828 MEDIUM
5.3 Jul 01

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun

CVE-2026-44042 LOW
3.7 Jul 01

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti

Share

EUVD-2026-40884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy