Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable pre-auth flaw (AV:N/PR:N) but victim must initiate the viewer connection (UI:R); heap corruption enabling code execution as the user gives C/I/A:H, scope unchanged.
Primary rating from Vendor (securin).
CVSS VectorVendor: securin
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. In vncviewer/ClientConnection.cpp, the 4-byte network-supplied reasonLen field (type CARD32) is passed as reasonLen+1 to CheckBufferSize(). Because both operands are unsigned 32-bit, a reasonLen of 0xFFFFFFFF overflows to 0, causing CheckBufferSize to allocate only 256 bytes. The subsequent ReadString(m_netbuf, reasonLen) call then performs ReadExact for the original 4 GiB length into that 256-byte heap buffer. This overflow is reachable via rfbConnFailed (auth-scheme negotiation) and rfbVncAuthFailed (post-handshake) message types without successful authentication. A malicious VNC server, or any man-in-the-middle on the RFB stream, can trigger this condition when the victim viewer connects, potentially resulting in remote code execution as the user running the viewer. The crash was confirmed with AddressSanitizer on a portable reproduction harness (heap-buffer-overflow WRITE at offset 256).
AnalysisAI
Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB failure-response parser: a malicious or man-in-the-middle VNC server can send a reasonLen of 0xFFFFFFFF that wraps to 0 during buffer sizing, then stream 4 GiB into a 256-byte heap allocation. The flaw is reachable pre-authentication through connection-failure and auth-failure messages, so merely connecting a viewer to an attacker-controlled endpoint can corrupt the heap and potentially execute code as the user running the viewer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the victim to actively initiate an outbound UltraVNC viewer connection to an attacker-controlled endpoint - either a malicious VNC server or a man-in-the-middle positioned on the RFB stream (UI:P, passive user interaction). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H, score 8.7) is internally consistent with the description: network-reachable, low complexity, no privileges, but requiring passive user interaction (UI:P) because the victim must initiate an outbound viewer connection. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker stands up a malicious VNC server (or interposes as a man-in-the-middle on an existing RFB session) and induces a victim to point their UltraVNC viewer at it - for example via a support link, a spoofed internal host, or ARP/DNS redirection. During the pre-authentication handshake the server returns an rfbConnFailed or rfbVncAuthFailed message with reasonLen=0xFFFFFFFF, overflowing the size calculation and writing past a 256-byte heap buffer in the victim's viewer, corrupting the heap toward code execution as the connecting user. … |
| Remediation | No vendor-released patch or fixed version number was identified in the provided data, so the exact upgrade target cannot be cited yet - monitor the vendor advisory at https://uvnc.com/ and the source repository at https://github.com/ultravnc/UltraVNC for a release above 1.8.2.2 and upgrade viewers immediately once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all systems running UltraVNC Viewer through version 1.8.2.2 and implement firewall rules restricting VNC connections to pre-approved trusted endpoints only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow
UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow
Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac
Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r
Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in
Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h
Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup
Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V
UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun
UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti
Same weakness CWE-190 – Integer Overflow or Wraparound
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40884
GHSA-wxqv-4fpj-f62j