CVE-2026-7828 in UltraVNCinfo

Summary

by MITRE • 07/01/2026

UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) + strlen(line)), where line is derived from HTTP request URIs. If strlen(line) is sufficiently large, the addition overflows to a value smaller than sizeof(struct LIST), causing a heap allocation smaller than required. The subsequent strcpy of the full string into the undersized allocation produces a heap buffer overflow. In the current implementation this overflow is bounded by the HTTP receive buffer size (WI_RXBUFSIZE = 153600 bytes, well below SIZE_MAX on 32-bit builds), limiting practical exploitability to a partial heap write. A remote unauthenticated attacker can trigger the theoretical overflow path by sending a maximally-sized URI in an HTTP request to the repeater HTTP port.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/01/2026

The vulnerability in UltraVNC repeater versions through 1.8.2.2 represents a critical integer overflow flaw within the HTTP request logging mechanism that demonstrates poor memory management practices and potential remote exploitability. This issue resides in the repeater/webgui/settings.c file at line 336 within the win_log() function where dynamic memory allocation occurs using malloc(sizeof(struct LIST) + strlen(line)). The vulnerability stems from the lack of proper input validation and integer overflow protection when handling HTTP request URIs, creating a scenario where attacker-controlled data can manipulate the allocation size calculation.

The technical implementation of this flaw involves a classic heap-based buffer overflow condition that arises from insufficient bounds checking. When an attacker crafts an HTTP request with an extremely long URI string, the strlen(line) value becomes large enough to cause arithmetic overflow during the memory allocation calculation. The mathematical operation sizeof(struct LIST) + strlen(line) produces an unexpectedly small result due to integer overflow, leading to malloc() allocating insufficient memory for the actual data that will be copied into the buffer. This fundamental miscalculation creates a situation where subsequent strcpy operations write more data than the allocated buffer can accommodate, resulting in heap corruption.

The operational impact of this vulnerability extends beyond simple memory corruption as it provides a potential pathway for remote code execution or denial of service conditions within the UltraVNC repeater environment. While the current implementation limits practical exploitability through the bounded WI_RXBUFSIZE parameter of 153600 bytes, the theoretical overflow path remains exploitable under certain conditions. The vulnerability affects unauthenticated remote attackers who can simply send malicious HTTP requests to the repeater's HTTP port without requiring any credentials or privileged access. This characteristic transforms what could be a local privilege escalation issue into a remotely exploitable vulnerability that impacts network services exposed to external traffic.

Security implications of this vulnerability align with CWE-190, which identifies integer overflow and underflow conditions as critical weaknesses in software systems. The flaw also maps to ATT&CK technique T1210, representing exploitation of remote services through input validation attacks. Organizations running affected UltraVNC repeater versions face potential risks including service disruption, unauthorized access to network infrastructure, or information disclosure when attackers successfully exploit this vulnerability. The heap-based nature of the overflow suggests that memory corruption could potentially be leveraged for more sophisticated attacks if combined with other exploitation techniques.

Mitigation strategies should focus on immediate patching of affected systems to version 1.8.3 or later where the integer overflow has been addressed through proper bounds checking and input validation. Additionally, network administrators should implement firewall rules to restrict access to the repeater's HTTP port from trusted sources only, reducing the attack surface for unauthenticated exploitation attempts. Input sanitization measures including URI length limits and maximum request size restrictions can provide additional defensive layers against similar vulnerabilities in other components of the system architecture. Regular security assessments and code reviews focusing on memory management practices will help prevent similar issues from emerging in future software releases while maintaining compliance with industry standards such as those outlined in the OWASP Top Ten and NIST cybersecurity frameworks for vulnerability management and remediation.

Responsible

Securin

Reservation

05/05/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!