CVE-2026-7828
Received Received - Intake

Integer Overflow Leading to Heap Buffer Overflow in UltraVNC Repeater

Vulnerability report for CVE-2026-7828, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: securin

Description

UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) + strlen(line)), where line is derived from HTTP request URIs. If strlen(line) is sufficiently large, the addition overflows to a value smaller than sizeof(struct LIST), causing a heap allocation smaller than required. The subsequent strcpy of the full string into the undersized allocation produces a heap buffer overflow. In the current implementation this overflow is bounded by the HTTP receive buffer size (WI_RXBUFSIZE = 153600 bytes, well below SIZE_MAX on 32-bit builds), limiting practical exploitability to a partial heap write. A remote unauthenticated attacker can trigger the theoretical overflow path by sending a maximally-sized URI in an HTTP request to the repeater HTTP port.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultravnc repeater 1.8.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability allows a remote unauthenticated attacker to cause a heap buffer overflow by sending a specially crafted HTTP request with a very large URI. This can lead to partial heap memory corruption.

While the overflow is bounded and limited to a partial heap write due to buffer size restrictions, it could potentially be exploited to disrupt the normal operation of the UltraVNC repeater, causing denial of service or possibly enabling further attacks depending on the context.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is an integer overflow in the UltraVNC repeater version through 1.8.2.2, specifically in the HTTP request logging path. The issue occurs in the win_log() function, which allocates memory for list nodes based on the length of HTTP request URIs. If the URI length is very large, the calculation for the memory allocation overflows, resulting in a smaller-than-needed allocation. When the full URI string is copied into this undersized buffer, it causes a heap buffer overflow.

This overflow is limited by the maximum HTTP receive buffer size, which restricts the overflow to a partial heap write. An attacker can trigger this by sending a maximally-sized URI in an HTTP request to the repeater's HTTP port without needing to authenticate.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart