CVE-2026-7838
Received Received - Intake

UltraVNC Viewer Heap Buffer Overflow via RFB Protocol

Vulnerability report for CVE-2026-7838, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: securin

Description

UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. In vncviewer/ClientConnection.cpp, the 4-byte network-supplied reasonLen field (type CARD32) is passed as reasonLen+1 to CheckBufferSize(). Because both operands are unsigned 32-bit, a reasonLen of 0xFFFFFFFF overflows to 0, causing CheckBufferSize to allocate only 256 bytes. The subsequent ReadString(m_netbuf, reasonLen) call then performs ReadExact for the original 4 GiB length into that 256-byte heap buffer. This overflow is reachable via rfbConnFailed (auth-scheme negotiation) and rfbVncAuthFailed (post-handshake) message types without successful authentication. A malicious VNC server, or any man-in-the-middle on the RFB stream, can trigger this condition when the victim viewer connects, potentially resulting in remote code execution as the user running the viewer. The crash was confirmed with AddressSanitizer on a portable reproduction harness (heap-buffer-overflow WRITE at offset 256).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultravnc ultravnc_viewer 1.8.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in UltraVNC viewer versions up to 1.8.2.2 and involves an integer overflow that leads to a heap buffer overflow during the parsing of failure-response messages in the RFB protocol.

Specifically, a 4-byte network-supplied field called reasonLen is used incorrectly. When reasonLen is set to 0xFFFFFFFF, adding 1 causes an unsigned 32-bit integer overflow to zero, which results in allocating only 256 bytes of memory.

However, the program then attempts to read a string of the original large length (4 GiB) into this small buffer, causing a heap buffer overflow.

This overflow can be triggered by a malicious VNC server or a man-in-the-middle attacker during authentication failure messages, potentially leading to remote code execution on the victim's machine.

Impact Analysis

This vulnerability can have severe impacts including the possibility of remote code execution on the system running the UltraVNC viewer.

An attacker controlling a malicious VNC server or positioned as a man-in-the-middle can exploit this flaw to execute arbitrary code with the privileges of the user running the viewer.

This could lead to system compromise, data theft, or further attacks within the affected environment.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart