CVE-2026-7840
- EPSS 1.44%
- Veröffentlicht 01.07.2026 03:33:28
- Zuletzt bearbeitet 09.07.2026 06:16:22
UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied HTTP request URI into a fixed 1000-by...
CVE-2026-7839
- EPSS 0.37%
- Veröffentlicht 01.07.2026 03:33:27
- Zuletzt bearbeitet 09.07.2026 06:16:22
UltraVNC repeater through 1.8.2.2 initializes the HTTP administration server with a hardcoded default password. In repeater/webgui/settings.c:197, when settings2.txt is absent on first run the repeater writes the literal string "adminadmi2" as the ad...
CVE-2026-7838
- EPSS 1.4%
- Veröffentlicht 01.07.2026 03:33:26
- Zuletzt bearbeitet 09.07.2026 06:16:22
UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. In vncviewer/ClientConnection.cpp, the 4-byte network-supplied reasonLen field (type CARD32) is passed a...
CVE-2026-7831
- EPSS 0.53%
- Veröffentlicht 01.07.2026 03:33:25
- Zuletzt bearbeitet 09.07.2026 06:16:21
UltraVNC viewer through 1.8.2.2 contains an off-by-one stack buffer overflow in the RFB ServerInit message handler. In vncviewer/ClientConnection.cpp, when the server-supplied nameLength equals exactly 2024 the code declares a 2024-byte stack buffer ...
CVE-2026-7830
- EPSS 0.22%
- Veröffentlicht 01.07.2026 03:33:24
- Zuletzt bearbeitet 09.07.2026 06:16:21
UltraVNC through 1.8.2.2 uses inadequate cryptography in the MS-Logon II authentication scheme (rfbUltraVNC_MsLogonIIAuth). In rfb/dh.cpp the Diffie-Hellman key exchange is performed with parameters that fit in an unsigned 64-bit integer (DH_MAX_BITS...
CVE-2026-7829
- EPSS 0.57%
- Veröffentlicht 01.07.2026 03:33:22
- Zuletzt bearbeitet 09.07.2026 06:16:21
UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpy_s copies a rule token into temp1[rule1] (25-byte destination) or temp2/temp3 (16-...
CVE-2026-7828
- EPSS 1.06%
- Veröffentlicht 01.07.2026 03:33:21
- Zuletzt bearbeitet 09.07.2026 06:16:21
UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) + strlen(line)), where line is derived from...
CVE-2026-44040
- EPSS 0.28%
- Veröffentlicht 01.07.2026 03:33:20
- Zuletzt bearbeitet 09.07.2026 06:16:20
UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. In rfb/vncauth.c:119-129, the vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand() and genera...
CVE-2026-44041
- EPSS 0.32%
- Veröffentlicht 01.07.2026 03:33:19
- Zuletzt bearbeitet 09.07.2026 06:16:21
UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to wcslen() before any bounds check. If the caller provides a...
CVE-2026-44042
- EPSS 0.39%
- Veröffentlicht 01.07.2026 03:33:07
- Zuletzt bearbeitet 09.07.2026 06:16:21
UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer wit...