CVE-2019-25601
Received Received - Intake

Buffer Overflow in UltraVNC Launcher vncviewer.exe Causes DoS

Vulnerability report for CVE-2019-25601, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-22

Last updated on: 2026-03-22

Assigner: VulnCheck

Description

UltraVNC Launcher 1.2.2.4 contains a buffer overflow vulnerability in the Path vncviewer.exe property field that allows local attackers to crash the application by supplying an excessively long string. Attackers can input a 300-byte payload of repeated characters through the Properties dialog to trigger a denial of service condition.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-22
Last Modified
2026-03-22
Generated
2026-07-06
AI Q&A
2026-03-22
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
ultravnc launcher 1.2.2.4
uvnc ultravnc_launcher to 1.2.2.4 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the crash condition on the UltraVNC Launcher application version 1.2.2.4. Specifically, the vulnerability is triggered by supplying an excessively long string (300 repeated characters) in the "Path vncviewer.exe" property field within the Properties dialog of the application.'}, {'type': 'paragraph', 'content': 'A practical detection method involves using the proof-of-concept exploit steps:'}, {'type': 'list_item', 'content': 'Run a script or manually create a 300-character payload (e.g., 300 "A" characters).'}, {'type': 'list_item', 'content': 'Copy this payload to the clipboard.'}, {'type': 'list_item', 'content': 'Open UltraVNC Launcher, navigate to the Properties menu.'}, {'type': 'list_item', 'content': 'Paste the payload into the "Path vncviewer.exe" field and apply the changes.'}, {'type': 'paragraph', 'content': 'If the application crashes, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'No specific network commands are applicable since this is a local application vulnerability triggered via the GUI.'}] [2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, the immediate step is to avoid supplying excessively long strings (such as 300-byte payloads) in the "Path vncviewer.exe" property field of UltraVNC Launcher version 1.2.2.4.'}, {'type': 'paragraph', 'content': 'Additionally, consider the following actions:'}, {'type': 'list_item', 'content': 'Do not run UltraVNC Launcher with untrusted input or allow untrusted users local access to the system.'}, {'type': 'list_item', 'content': 'Upgrade to a later version of UltraVNC Launcher if available, where this vulnerability has been addressed.'}, {'type': 'list_item', 'content': 'Restrict local user permissions to prevent unauthorized modification of UltraVNC Launcher properties.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires local access and user interaction, controlling local access and input validation are key mitigation strategies.'}] [1, 3]

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2019-25601 is a buffer overflow vulnerability in UltraVNC Launcher version 1.2.2.4. It occurs in the "Path vncviewer.exe" property field, where a local attacker can input an excessively long stringβ€”specifically a 300-byte payload of repeated charactersβ€”via the Properties dialog. This causes the application to crash, resulting in a denial of service condition.'}] [2, 3]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows a local attacker to crash the UltraVNC Launcher application by supplying a specially crafted long string in the "Path vncviewer.exe" field. The impact is a denial of service (DoS), meaning the application becomes unavailable or stops functioning properly, which could disrupt remote desktop operations.'}] [2, 3]

Compliance Impact

I don't know

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25601. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart