Skip to main content
CVE Vulnerability Database

CVE-2026-7828: UltraVNC Buffer Overflow Vulnerability

CVE-2026-7828 is a heap buffer overflow vulnerability in UltraVNC repeater through version 1.8.2.2 caused by an integer overflow in HTTP request logging. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-7828 Overview

CVE-2026-7828 is an integer overflow vulnerability [CWE-190] in UltraVNC repeater through version 1.8.2.2. The flaw resides in the HTTP request logging path within repeater/webgui/settings.c:336, where the win_log() function allocates list nodes using malloc(sizeof(struct LIST) + strlen(line)). When line is derived from an HTTP request URI, a sufficiently large strlen(line) causes the addition to wrap, producing an undersized heap allocation. A subsequent strcpy writes the full string into that allocation, yielding a heap buffer overflow. A remote unauthenticated attacker can reach the code path by sending a maximally-sized URI to the repeater HTTP port.

Critical Impact

Remote unauthenticated attackers can trigger a bounded heap buffer overflow in the UltraVNC repeater HTTP logging path, causing partial heap corruption and potential service disruption.

Affected Products

  • UltraVNC repeater through 1.8.2.2
  • Vendor: uvnc
  • CPE: cpe:2.3:a:uvnc:ultravnc:*:*:*:*:*:*:*:*

Discovery Timeline

  • 2026-07-01 - CVE-2026-7828 published to the National Vulnerability Database (NVD)
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-7828

Vulnerability Analysis

The vulnerability sits in the repeater's web GUI logging code. The win_log() function receives a line string derived from incoming HTTP request URIs and allocates a list node with malloc(sizeof(struct LIST) + strlen(line)). Because the addition is performed on unsigned integer types without overflow checks, an attacker-controlled strlen(line) close to the type's maximum wraps the result to a value smaller than sizeof(struct LIST). The follow-on strcpy then copies the full attacker-supplied string into the undersized buffer, corrupting adjacent heap metadata and object fields.

In the shipping implementation, the HTTP receive buffer WI_RXBUFSIZE is capped at 153600 bytes. On 32-bit builds this ceiling sits well below SIZE_MAX, so the theoretical wrap does not fire from a single HTTP receive. This constrains impact to a partial, bounded heap write rather than a fully controllable corruption primitive. The most realistic outcome is process crash and denial of service against the repeater component.

Root Cause

The root cause is an unchecked additive size calculation passed to malloc [CWE-190]. Neither operand is validated against SIZE_MAX - sizeof(struct LIST) before addition, and the copy operation trusts that the allocation matches the source length.

Attack Vector

Exploitation requires network reachability to the repeater HTTP port. No authentication or user interaction is required. An attacker submits an HTTP request with a maximally long URI that reaches win_log(), triggering the vulnerable allocation and copy sequence. Refer to the UltraVNC GitHub repository for source-level context.

Detection Methods for CVE-2026-7828

Indicators of Compromise

  • HTTP requests to the UltraVNC repeater management port containing URIs approaching or exceeding the WI_RXBUFSIZE limit of 153600 bytes.
  • Unexpected crashes, restarts, or heap corruption errors logged by the UltraVNC repeater process.
  • Log entries in the repeater web GUI showing abnormally long request lines shortly before service interruption.

Detection Strategies

  • Inspect network traffic to the repeater HTTP port for oversized request lines and anomalous URI lengths.
  • Alert on repeated malformed HTTP requests from a single source targeting the repeater component.
  • Correlate repeater process crashes with preceding inbound HTTP requests to identify targeted probing.

Monitoring Recommendations

  • Ingest UltraVNC repeater logs and process telemetry into a centralized SIEM for correlation with network events.
  • Monitor for outbound connections from hosts running the repeater following suspected exploitation attempts.
  • Track exposure by inventorying internet-facing UltraVNC repeater instances and their versions.

How to Mitigate CVE-2026-7828

Immediate Actions Required

  • Restrict network access to the UltraVNC repeater HTTP port to trusted management networks only.
  • Place the repeater behind a reverse proxy or WAF that enforces URI length limits well below 153600 bytes.
  • Audit deployed repeater versions and prioritize patching hosts exposed to untrusted networks.

Patch Information

At the time of publication, no fixed version has been enumerated in the NVD entry. Monitor the UltraVNC GitHub repository and the UVNC official website for updated releases that address the integer overflow in win_log().

Workarounds

  • Disable the repeater's HTTP web GUI where it is not required for operations.
  • Enforce strict request size limits on any upstream proxy fronting the repeater.
  • Segment repeater hosts from general-purpose networks and require VPN access for administration.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.