CVE Catalog

CVE-2026-7828

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.84%

53th percentile — higher than 53% of all known CVEs

Summary

UltraVNC repeater up to version 1.8.2.2 contains an integer overflow in the win_log() function during memory allocation for list nodes. An attacker can send a sufficiently long HTTP URI, leading to a heap buffer overflow, potentially allowing out-of-bounds write.

Risk Assessment

This vulnerability could allow a remote unauthenticated attacker to corrupt heap memory, potentially causing service crashes or privilege escalation, although the overflow is practically limited by the HTTP receive buffer size.

Recommendation

Immediately update UltraVNC repeater to the latest available version that fixes this vulnerability. If an update is not possible, restrict access to the repeater HTTP port to trusted networks only.

Original NVD description (English source)

UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) + strlen(line)), where line is derived from HTTP request URIs. If strlen(line) is sufficiently large, the addition overflows to a value smaller than sizeof(struct LIST), causing a heap allocation smaller than required. The subsequent strcpy of the full string into the undersized allocation produces a heap buffer overflow. In the current implementation this overflow is bounded by the HTTP receive buffer size (WI_RXBUFSIZE = 153600 bytes, well below SIZE_MAX on 32-bit builds), limiting practical exploitability to a partial heap write. A remote unauthenticated attacker can trigger the theoretical overflow path by sending a maximally-sized URI in an HTTP request to the repeater HTTP port.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS