CVE-2026-7828

CVE-2026-7828 is a medium-severity vulnerability in Uvnc Ultravnc with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-190.

Key facts

Description

UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) + strlen(line)), where line is derived from HTTP request URIs. If strlen(line) is sufficiently large, the addition overflows to a value smaller than sizeof(struct LIST), causing a heap allocation smaller than required. The subsequent strcpy of the full string into the undersized allocation produces a heap buffer overflow. In the current implementation this overflow is bounded by the HTTP receive buffer size (WI_RXBUFSIZE = 153600 bytes, well below SIZE_MAX on 32-bit builds), limiting practical exploitability to a partial heap write. A remote unauthenticated attacker can trigger the theoretical overflow path by sending a maximally-sized URI in an HTTP request to the repeater HTTP port.

Frequently asked questions

What is CVE-2026-7828?
UltraVNC repeater through 1.8.2.2 contains an integer overflow in the HTTP request logging path. In repeater/webgui/settings.c:336, the win_log() function allocates list nodes via malloc(sizeof(struct LIST) + strlen(line)), where line is derived from HTTP request URIs. If strlen(line) is sufficiently large, the addition overflows to a value smaller than sizeof(struct LIST), causing a heap allocation smaller than required. The subsequent strcpy of the full string into the undersized allocation produces a heap buffer overflow. In the current implementation this overflow is bounded by the HTTP receive buffer size (WI_RXBUFSIZE = 153600 bytes, well below SIZE_MAX on 32-bit builds), limiting practical exploitability to a partial heap write. A remote unauthenticated attacker can trigger the theoretical overflow path by sending a maximally-sized URI in an HTTP request to the repeater HTTP port.
How severe is CVE-2026-7828?
CVE-2026-7828 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability low.
Is CVE-2026-7828 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (53rd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-7828?
CVE-2026-7828 affects Uvnc Ultravnc. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-7828?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2026-7828 published?
CVE-2026-7828 was published on 2026-07-01 and last updated on 2026-07-02.

References

Affected products (1)

More vulnerabilities in Uvnc Ultravnc

All CVEs affecting Uvnc Ultravnc →

Other CWE-190 (Integer Overflow or Wraparound) vulnerabilities

Browse all CWE-190 (Integer Overflow or Wraparound) vulnerabilities →