HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-7840Published Modified CNA securin

CVE-2026-7840: UltraVNC repeater HTTP server global buffer overflow via long URI (pre-auth RCE)

UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied HTTP request URI into a fixed 1000-byte global buffer (hdrbuf) via unchecked sprintf calls. The HTTP receive buffer accepts URIs up to approximately 150 KB (WI_RXBUFSIZE = 153600), so an unauthenticated attacker who can reach the repeater HTTP port (default TCP 80) can overflow hdrbuf by at least 500 bytes with a single HTTP request containing a URI of 1500 bytes or longer, corrupting adjacent .bss-segment globals. The overflow occurs before any authentication check, making it reachable without credentials. A remote, unauthenticated attacker can achieve arbitrary code execution on the host running the repeater.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A global buffer overflow in UltraVNC repeater's embedded HTTP administration server allows a remote, unauthenticated attacker to execute arbitrary code on the host. The flaw exists in the wi_senderr() and wi_replyhdr() functions, which copy a caller-supplied HTTP request URI into a fixed 1000-byte global buffer without bounds checking; an attacker sends a single HTTP request with a URI of 1500 bytes or more to overflow the buffer before any authentication check runs. Successful exploitation gives the attacker full code execution on the machine running the repeater. No upstream fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-7840 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle UltraVNC repeater. Any image containing an affected version (UltraVNC repeater 1.8.2.2 or earlier) is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.3 Critical using the CVSS v4.0 vector and surfaces it at the top of each affected environment's finding queue. Per-environment compliance policy weighting is applied so that the alert is routed to the appropriate team inbox inside each customer organization based on their configured severity thresholds and ownership rules.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a corrected UltraVNC release is detected. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once an upstream fix exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the UltraVNC repeater HTTP administration port (default TCP 80) over the network; any internet-exposed or internally reachable deployment is in scope.

  • AuthenticationNot required

    The overflow occurs before any authentication check runs, so no credentials of any privilege level are needed.

  • Victim interactionNot required

    The attack is fully server-side; no user action or social engineering is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: sending a single HTTP request with a URI of 1500 bytes or more is sufficient to trigger the overflow, with no race conditions or special memory-layout requirements.

Blast Radius

  • Reads memory contents from adjacent .bss-segment globals, which may include session state, connection metadata, or configuration values held in the repeater process.
  • Corrupts adjacent global variables in the .bss segment, allowing an attacker to manipulate repeater behavior, redirect VNC sessions, or destabilize the service.
  • Achieves arbitrary code execution on the host running the UltraVNC repeater, gaining the same OS-level privileges as the repeater process.
  • Compromises the host as a pivot point, giving the attacker access to VNC sessions brokered through the repeater and potentially to the broader internal network.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical, pre-authentication RCE is active across all customer environments that scan images containing UltraVNC repeater 1.8.2.2 or earlier. Because no upstream fix exists yet, the recommended immediate compensating controls are to restrict inbound access to the repeater HTTP administration port using network policy or firewall rules so that only trusted management hosts can reach it, to place the repeater behind an egress-filtering proxy, and to consider disabling the embedded HTTP administration interface entirely if it is not operationally required. HarborGuard monitors the upstream advisory and the uvnc release feed on every ingest cycle; the moment a patched version is published, a rebuilt image will become available, and for customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically. Given the CRITICAL severity and zero-interaction exploit path, customers are encouraged to treat this as a priority-one finding until the upstream fix is available and deployed.

See how HarborGuard automates this
Affected packages
  • uvnc / UltraVNC
    ≤ 1.8.2.2
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N