- Product: uvnc UltraVNC
- Vulnerabilities: 2 flaws (CVE-2026-7839, CVE-2026-7840)
- Highest severity: 9.8 (Critical · CVSSv3)
- Worst impact: repeater HTTP server global buffer overflow via long URI (pre-auth RCE)
- Status: No confirmed exploitation yet
- Action: See vendor advisories
| CVE | CVSS | Type | Status |
|---|---|---|---|
| CVE-2026-7840 | 9.8 | repeater HTTP server global buffer overflow via long URI (pre-auth RCE) | Not exploited |
| CVE-2026-7839 | 9.1 | CWE-798 | Not exploited |
TL;DR
Researchers disclosed two UltraVNC repeater vulnerabilities in the tool’s HTTP admin server. One allows arbitrary code execution without any login. The other exposes a hardcoded admin password. Both flaws affect the repeater through version 1.8.2.2.
Why It Matters
The UltraVNC repeater relays remote desktop sessions across networks. So it often sits at a network edge. A remote attacker who reaches its web port gains a foothold. These UltraVNC repeater vulnerabilities therefore put whole session chains at risk. Many admins expose the repeater to the internet for convenience. That choice widens the attack surface. No exploitation in the wild has been confirmed.
How the Attacks Work
Unauthenticated overflow (CVE-2026-7840)
The admin server copies the request URI into a fixed 1000-byte buffer. It uses an unchecked sprintf call. A long URI overflows that buffer before any authentication check. The overflow then corrupts nearby memory in the .bss segment. As a result, a remote attacker can run code with no credentials. This flaw rates CVSS 9.8.
Hardcoded password (CVE-2026-7839)
On first run, the repeater writes a default admin password. The HTTP login also lacks rate-limiting or lockout. So anyone who knows the default can sign in remotely. That grants full control over allow and deny rules. It also reveals active session visibility to an intruder. This flaw rates CVSS 9.1.
Affected Versions
Both bugs affect the UltraVNC repeater through 1.8.2.2. Earlier builds share the same vulnerable code paths.
Patch and Mitigation
Update to the newest repeater release from the official UltraVNC download page. Next, block public access to the admin port, TCP 80. Change any default credentials right away. Where possible, place the repeater behind a firewall or VPN. Also audit your logs for unexpected admin logins. Together, these steps cut the exposure fast.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.