CVE-2026-7831
Received Received - Intake

UltraVNC Viewer Stack Buffer Overflow

Vulnerability report for CVE-2026-7831, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: securin

Description

UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer _dn[2024] and calls ReadString(_dn, 2024). ReadString writes the NUL terminator at buf[length], i.e., _dn[2024], one byte past the end of the stack buffer. A malicious VNC server can trigger this condition by advertising a desktop name of length 2024 in its ServerInit message. On release builds without stack canaries the single-byte NUL overwrite adjacent stack data. On builds with /GS stack protection the canary is corrupted and the process terminates, resulting in denial of service. User interaction (connecting the viewer to the malicious server) is required.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultravnc viewer 1.8.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an off-by-one stack buffer overflow found in UltraVNC viewer versions up to 1.8.2.2. It occurs in the RFB ServerInit message handler when the server sends a desktop name of exactly 2024 characters. The program allocates a 2024-byte buffer on the stack to store this name, but then writes a NUL terminator one byte beyond the buffer's end, causing a buffer overflow.

A malicious VNC server can exploit this by sending a specially crafted ServerInit message with a desktop name of length 2024, triggering the overflow. Depending on the build, this can either overwrite adjacent stack data or corrupt stack canaries, potentially causing the viewer process to crash.

User interaction is required, meaning the vulnerability is triggered when a user connects the UltraVNC viewer to a malicious server.

Impact Analysis

This vulnerability can impact you by allowing a malicious VNC server to cause a denial of service or potentially execute arbitrary code on your system when you connect to it using the UltraVNC viewer.

On builds without stack protection, the off-by-one overflow can overwrite adjacent stack data, which might be exploited for code execution. On builds with stack canaries, the overflow corrupts the canary, causing the process to terminate and resulting in denial of service.

Since user interaction is required, the risk arises when connecting to untrusted or malicious VNC servers.

Mitigation Strategies

To mitigate this vulnerability, avoid connecting the UltraVNC viewer (version through 1.8.2.2) to untrusted or potentially malicious VNC servers, as user interaction is required to trigger the issue.

Additionally, consider updating to a version of UltraVNC viewer that addresses this off-by-one stack buffer overflow vulnerability once such a fix is available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7831. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart