CVE-2026-7831 Overview
CVE-2026-7831 is an off-by-one stack buffer overflow in the UltraVNC viewer through version 1.8.2.2. The flaw resides in the Remote Framebuffer (RFB) ServerInit message handler within vncviewer/ClientConnection.cpp. A malicious VNC server can supply a desktop name of exactly 2024 bytes, causing ReadString to write a NUL terminator one byte past the end of the fixed-size stack buffer _dn[2024]. Successful exploitation requires a user to connect the viewer to an attacker-controlled server. The issue is tracked under [CWE-193] (Off-by-one Error).
Critical Impact
A malicious VNC server can corrupt adjacent stack data or trigger process termination on /GS-protected builds, resulting in denial of service against the connecting client.
Affected Products
- UltraVNC viewer versions up to and including 1.8.2.2
- The vncviewer component (ClientConnection.cpp)
- Windows builds of UltraVNC using the RFB ServerInit handler
Discovery Timeline
- 2026-07-01 - CVE-2026-7831 published to the National Vulnerability Database (NVD)
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-7831
Vulnerability Analysis
The defect lives in the RFB protocol handshake logic executed by the UltraVNC viewer. After a TCP connection is established, the server sends a ServerInit message containing a nameLength field followed by the desktop name. The viewer allocates a stack buffer sized to nameLength and delegates reading to ReadString.
When nameLength equals exactly 2024, the viewer declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes a NUL terminator at buf[length], which resolves to _dn[2024]. That index is one byte beyond the last valid element _dn[2023], producing a single-byte out-of-bounds write on the stack.
On release builds without stack canaries, the NUL byte overwrites adjacent stack data, potentially corrupting saved registers, frame pointers, or local variables. On builds compiled with /GS stack protection, the canary is overwritten and the process aborts, causing denial of service on the client.
Root Cause
The root cause is a classic off-by-one error: the caller supplies a length equal to the buffer size, but the writer treats that length as the terminator index rather than as the total available capacity. The buffer size and terminator offset are conflated in the interface contract between the caller in ClientConnection.cpp and ReadString.
Attack Vector
Exploitation requires network reachability from the victim viewer to an attacker-controlled VNC server and user interaction to initiate the connection. Once connected, the server crafts a ServerInit message advertising a desktop name length of exactly 2024 bytes. No authentication is required on the server side, and the vulnerable code path runs before any user-visible desktop content is rendered.
Refer to the GitHub UltraVNC Repository and the UVNC Official Website for source and release information.
Detection Methods for CVE-2026-7831
Indicators of Compromise
- Unexpected termination of vncviewer.exe shortly after initiating an outbound VNC session
- Windows Error Reporting entries citing /GS stack cookie corruption in the UltraVNC viewer process
- Outbound TCP sessions to untrusted hosts on default VNC ports (5900-5906) originating from user workstations
Detection Strategies
- Inspect RFB ServerInit messages at the network layer for a name-length field value of 0x000007E8 (2024) followed by a payload of that exact size.
- Correlate crash telemetry from endpoints running UltraVNC viewer with concurrent outbound connections to previously unseen VNC servers.
- Flag execution of UltraVNC viewer binaries whose version metadata is 1.8.2.2 or earlier in enterprise inventories.
Monitoring Recommendations
- Enable process crash and access-violation logging on hosts where UltraVNC viewer is installed and forward events to a central log store.
- Monitor egress firewall logs for VNC protocol traffic to non-corporate destinations and alert on new external VNC endpoints.
- Track installations and version drift of UltraVNC across managed endpoints using software asset inventory.
How to Mitigate CVE-2026-7831
Immediate Actions Required
- Restrict UltraVNC viewer outbound connections to trusted VNC servers via host-based or network firewall rules.
- Instruct users not to initiate VNC sessions to untrusted or unknown hosts until a fixed build is deployed.
- Inventory endpoints running UltraVNC viewer 1.8.2.2 or earlier and prioritize them for remediation.
Patch Information
At the time of publication, no vendor advisory URL is listed in the NVD entry. Administrators should track the GitHub UltraVNC Repository for a fixed release that corrects the off-by-one write in ClientConnection.cpp and adjusts ReadString semantics so that the terminator is written within buffer bounds.
Workarounds
- Uninstall or disable the UltraVNC viewer on systems that do not require remote desktop client functionality.
- Use an alternative RFB client that is not affected by this off-by-one write until UltraVNC issues a patched build.
- Enforce network segmentation so that only vetted internal VNC servers are reachable from workstations running the viewer.
# Example Windows Defender Firewall rule blocking outbound VNC to untrusted networks
netsh advfirewall firewall add rule name="Block UltraVNC Viewer Outbound" ^
dir=out program="C:\Program Files\uvnc bvba\UltraVNC\vncviewer.exe" ^
action=block remoteip=any protocol=TCP remoteport=5900-5906
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

