Vulnerability Details CVE-2026-7840
UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied HTTP request URI into a fixed 1000-byte global buffer (hdrbuf) via unchecked sprintf calls. The HTTP receive buffer accepts URIs up to approximately 150 KB (WI_RXBUFSIZE = 153600), so an unauthenticated attacker who can reach the repeater HTTP port (default TCP 80) can overflow hdrbuf by at least 500 bytes with a single HTTP request containing a URI of 1500 bytes or longer, corrupting adjacent .bss-segment globals. The overflow occurs before any authentication check, making it reachable without credentials. A remote, unauthenticated attacker can achieve arbitrary code execution on the host running the repeater.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.014
EPSS Ranking 70.1%
CVSS Severity
CVSS v3 Score 9.8
Products affected by CVE-2026-7840
-
cpe:2.3:a:uvnc:ultravnc:1.0.9.6.2
-
cpe:2.3:a:uvnc:ultravnc:1.1.8.9
-
cpe:2.3:a:uvnc:ultravnc:1.1.9.3
-
cpe:2.3:a:uvnc:ultravnc:1.1.9.6
-
cpe:2.3:a:uvnc:ultravnc:1.2.0.5
-
cpe:2.3:a:uvnc:ultravnc:1.2.0.9
-
cpe:2.3:a:uvnc:ultravnc:1.2.1.0
-
cpe:2.3:a:uvnc:ultravnc:1.2.1.2
-
cpe:2.3:a:uvnc:ultravnc:1.2.1.6
-
cpe:2.3:a:uvnc:ultravnc:1.2.1.7
-
cpe:2.3:a:uvnc:ultravnc:1.2.2.2
-
cpe:2.3:a:uvnc:ultravnc:1.2.2.3
-
cpe:2.3:a:uvnc:ultravnc:1.2.2.4
-
cpe:2.3:a:uvnc:ultravnc:1.2.4.0
-
cpe:2.3:a:uvnc:ultravnc:1.3.2
-
cpe:2.3:a:uvnc:ultravnc:1.3.4
-
cpe:2.3:a:uvnc:ultravnc:1.3.4.1
-
cpe:2.3:a:uvnc:ultravnc:1.3.4.2
-
cpe:2.3:a:uvnc:ultravnc:1.3.6.0
-
cpe:2.3:a:uvnc:ultravnc:1.3.8.0
-
cpe:2.3:a:uvnc:ultravnc:1.3.8.1
-
cpe:2.3:a:uvnc:ultravnc:1.4.0.5
-
cpe:2.3:a:uvnc:ultravnc:1.4.0.6
-
cpe:2.3:a:uvnc:ultravnc:1.4.0.9
-
cpe:2.3:a:uvnc:ultravnc:1.4.2.0
-
cpe:2.3:a:uvnc:ultravnc:1.4.3.0
-
cpe:2.3:a:uvnc:ultravnc:1.4.3.1
-
cpe:2.3:a:uvnc:ultravnc:1.4.3.5
-
cpe:2.3:a:uvnc:ultravnc:1.4.3.6
-
cpe:2.3:a:uvnc:ultravnc:1.5.0.0
-
cpe:2.3:a:uvnc:ultravnc:1.6.0.0
-
cpe:2.3:a:uvnc:ultravnc:1.6.1.0
-
cpe:2.3:a:uvnc:ultravnc:1.6.4.0
-
cpe:2.3:a:uvnc:ultravnc:1.8.2.2