CVE-2026-7829
UltraVNC repeater authenticated out-of-bounds write in rule parser via oversized token
Description
UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpy_s copies a rule token into temp1[rule1] (25-byte destination) or temp2/temp3 (16-byte destination), the code unconditionally writes a NUL terminator at temp1[rule1][len] = 0 without clamping len to the destination size. When an authenticated administrator saves a rule with a token length equal to or greater than the destination size, the NUL byte is written one or more bytes past the end of the stack-allocated array, corrupting adjacent stack data. An attacker who has obtained admin credentials (including via CVE-2026-7839 default password) can trigger this to gain code execution on the repeater host.
INFO
Published Date :
July 1, 2026, 3:33 a.m.
Last Modified :
July 1, 2026, 3:33 a.m.
Remotely Exploit :
Yes !
Source :
securin
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 33c584b5-0579-4c06-b2a0-8d8329fcab9c |
Solution
- Update UltraVNC to a patched version.
- Review and update authentication credentials.
- Restrict administrative access to trusted users.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-7829 vulnerability anywhere in the article.