eastbaycyber

CVE-2026-7840: UltraVNC Repeater Buffer Overflow

CVE explainers 9 min read
SR
Security Research Desk Expert reviewed
Threat intelligence · Human-verified · Updated 2026-07-01
▲ Escalation ViewOne CVE, briefed at three altitudes — skim the Brief, weigh the Impact, or work the Runbook. The way a SOC actually reads it.
CISOBrief · 30-second brief
Field Value
CVE ID CVE-2026-7840
CVSS score 9.8 (Critical)
Attack vector Not explicitly provided in the cited NVD output; reachable over the network via the embedded HTTP service
Auth required None
Patch status No fixed version confirmed from the provided NVD references

TL;DR - Critical pre-auth buffer overflow in UltraVNC Repeater through 1.8.2.2. - Exposed HTTP admin service can be attacked remotely without credentials. - No confirmed fix version in the provided sources, so restrict access immediately.

AnalystImpact · assess the risk

What Happened and Why This Matters

CVE-2026-7840 is a critical global buffer overflow in UltraVNC Repeater through version 1.8.2.2. According to the NVD description, the flaw sits in the product’s embedded HTTP administration server and affects the functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c. Those functions reportedly copy a caller-controlled HTTP request URI into a fixed 1000-byte global buffer named hdrbuf using unchecked sprintf calls.

From a defender’s perspective, this is not a marginal bug. The NVD description says the HTTP receive buffer can accept URIs up to roughly 150 KB (WI_RXBUFSIZE = 153600), and an attacker can trigger the overflow with a URI of around 1500 bytes or more. That means the vulnerable path is exposed before authentication and can be reached by any remote party that can connect to the HTTP administration interface, typically TCP port 80. The stated impact is remote arbitrary code execution on the repeater host.

Affected Products and Version Range

The affected product identified in the available sources is UltraVNC Repeater. The version range currently supported by the NVD description is “through 1.8.2.2”, which means defenders should treat all versions up to and including 1.8.2.2 as vulnerable unless they have stronger vendor evidence showing otherwise.

A crucial limitation is that the provided source set does not confirm a fixed release number. The NVD references in the research note point to the UltraVNC GitHub repository and the official vendor site, but the supplied findings do not show an advisory, release note, or commit mapping this CVE to a specific patched version. In practice, that means your asset inventory should tag 1.8.2.2 and earlier as exposed, and anything newer should be considered unverified rather than automatically safe until the vendor publishes a definitive fix statement.

Exploitation Status and Defender Assumptions

At the time of writing, exploitation in the wild is not confirmed from the provided data. The CVE is not listed in CISA’s Known Exploited Vulnerabilities catalog, which means there is no CISA-backed confirmation of active exploitation at this time. That is useful context, but it should not be read as a sign the issue is low-risk.

Also, no public PoC is confirmed from the available sources in this research set. However, defenders should not over-index on the absence of a PoC. The NVD description already provides unusually actionable technical details: vulnerable function names, source path, a fixed-size target buffer, a rough trigger length, and the note that exploitation is reachable before authentication over the HTTP admin interface. For an experienced attacker or researcher, that is often enough to reproduce the bug quickly.

Risk Assessment for Real Environments

The most important operational question is whether your UltraVNC Repeater HTTP administration service is reachable by untrusted networks. If it is exposed to the internet, partner networks, branch segments, or user VLANs, you should treat this as a potential unauthenticated remote code execution path with critical urgency. Even if the vulnerable service is only on an internal network, many organizations have broad east-west reachability that makes internal exposure meaningful.

The second risk factor is host placement. UltraVNC Repeater instances often sit in positions that support remote administration workflows, which can make them attractive pivot points. A successful compromise of the repeater host could expose credentials, provide lateral movement opportunities, or interfere with remote support operations. Because the available data does not confirm a fixed version, the safest assumption is that network controls and service exposure reduction are your immediate defenses.

Technical Deep Dive

The underlying bug is described as a global buffer overflow involving a fixed 1000-byte global buffer, hdrbuf, in the embedded web GUI code. The reported vulnerable functions, wi_senderr() and wi_replyhdr(), use unchecked sprintf calls to place an attacker-controlled URI into that buffer. This is a classic memory safety failure: unbounded copy into fixed storage with attacker-controlled input length.

Two details make this especially serious. First, the overflow occurs in processing of the HTTP request URI, which is available before authentication. Second, the receive buffer size is said to allow much larger input than the target buffer can safely hold. NVD notes URIs up to about 150 KB may be accepted, while the fixed destination buffer is only 1000 bytes. That gap creates an obvious overflow condition and reportedly allows corruption of adjacent global variables in the .bss segment, with the stated consequence of remote arbitrary code execution.

Technical Notes

The functions and file path called out in the NVD description are:

// Reported vulnerable locations from NVD description
wi_senderr()
wi_replyhdr()

// File path
repeater/webgui/webutils.c

The core unsafe pattern is described as unchecked formatting into a fixed-size buffer:

// Simplified conceptual example based on the NVD description
char hdrbuf[1000];
sprintf(hdrbuf, "HTTP/1.1 404 Not Found\r\nLocation: %s\r\n\r\n", request_uri);

In a safe implementation, a bounded function and explicit length handling would be expected instead:

// Safer conceptual approach
_snprintf(hdrbuf, sizeof(hdrbuf),
          "HTTP/1.1 404 Not Found\r\nLocation: %s\r\n\r\n",
          request_uri_truncated);
hdrbuf[sizeof(hdrbuf) - 1] = '\0';

This example is illustrative, not a claim about the exact vendor patch. The important point for defenders is that the vulnerable condition is tied to oversized URIs hitting the embedded HTTP service.

What Defenders Should Do Next

Start with asset discovery. Identify every host running UltraVNC Repeater, then determine whether the embedded HTTP administration interface is reachable from anything beyond a dedicated management segment. If you cannot quickly verify exposure, assume it may be reachable and put temporary controls in place. That means firewall restriction first, exposure reduction second, and deeper log review in parallel.

Then establish a watchlist for vendor updates. Because the fixed version is not confirmed from the provided references, your patch management team should not close this item based on assumption. Require explicit evidence such as a release note, commit reference, changelog entry, or vendor advisory naming CVE-2026-7840 and stating the first non-vulnerable version. Until that exists, your defensive posture should treat all versions through 1.8.2.2 as vulnerable and any newer version as unverified.

For more information on related security concepts, you can read about microsegmentation and check our FAQ on LLM output security auditing.

ResponderRunbook · act now

Detection Guidance

Detection should focus on unexpected or oversized HTTP requests to the UltraVNC Repeater administration interface, especially requests with abnormally long request URIs. Since the vulnerability is in HTTP request handling before authentication, authentication logs alone will not be sufficient. Web-facing telemetry, reverse proxy logs, firewall logs, EDR network events, and packet captures are all useful sources.

You should also watch for instability on hosts running UltraVNC Repeater. Buffer overflow attempts can present first as process crashes, service restarts, access violations, or unusual child process activity if exploitation succeeds. Because the exact log format depends on how the repeater is deployed, defenders should baseline normal HTTP admin access patterns and flag long or malformed URIs immediately.

Technical Notes

A simple network or web log hunting pattern is to search for HTTP requests to the repeater admin service where the URI length is unusually large, such as greater than 1000 bytes. If you have a reverse proxy, WAF, or Zeek-style HTTP telemetry in front of or near the service, use that first.

-- Example pseudo-SQL for HTTP telemetry
SELECT
  src_ip,
  dest_ip,
  dest_port,
  method,
  uri,
  LENGTH(uri) AS uri_len,
  timestamp
FROM http_logs
WHERE dest_port = 80
  AND LENGTH(uri) >= 1000
ORDER BY timestamp DESC;

If you are using Splunk with HTTP access logs that extract URI fields, a practical hunt looks like this:

index=web OR index=proxy
(dest_port=80 OR url_port=80)
| eval uri_len=len(uri)
| where uri_len>=1000
| stats count min(_time) as first_seen max(_time) as last_seen values(uri_len) as uri_len values(uri) as sample_uri by src_ip dest_ip user_agent

A concrete request pattern worth flagging is any inbound request resembling an oversized path:

GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[1500+ bytes]... HTTP/1.1
Host: <repeater-host>
User-Agent: suspicious-client

For network IDS-style detection, a basic signature concept is long HTTP request lines to the UltraVNC Repeater admin port. Exact production signatures should be tuned to your environment, but the core pattern is:

Alert when:
- TCP destination port = 80 on a host running UltraVNC Repeater
- HTTP method present
- URI/path length >= 1000 bytes

Mitigation and Patching

The vendor-fixed version is unknown from the provided sources, so this section has to separate verified facts from defensive action. The verified fact is that UltraVNC Repeater through 1.8.2.2 is affected. The unverified part is what release, if any, definitively remediates the issue. In the absence of a confirmed fixed version, defenders should assume no safe upgrade target has yet been validated from the available evidence.

That does not leave you helpless. The highest-value mitigations are to remove internet exposure, restrict access to the embedded HTTP administration interface, and disable the HTTP admin service if operationally possible. If the admin interface must remain enabled, allow access only from a tightly controlled management network, VPN, or bastion host. Host-based firewall rules are especially useful here because they reduce attack surface even when upstream controls drift.

Technical Notes

If UltraVNC Repeater is running on Windows, apply a host firewall rule to block inbound HTTP admin access except from a known management IP or subnet. Example using Windows Defender Firewall:

# Block inbound TCP/80 to the repeater host
New-NetFirewallRule -DisplayName "Block UltraVNC Repeater HTTP Admin" `
  -Direction Inbound -Protocol TCP -LocalPort 80 -Action Block

# Optional: allow a trusted admin subnet first
New-NetFirewallRule -DisplayName "Allow UltraVNC Repeater HTTP Admin from Mgmt Subnet" `
  -Direction Inbound -Protocol TCP -LocalPort 80 -RemoteAddress 10.10.10.0/24 -Action Allow

If your deployment process uses a package or scripted update path, you should first identify the installed version before making changes. Example PowerShell checks:

Get-ChildItem "C:\Program Files*\UltraVNC*" -Recurse |
  Select-Object FullName, LastWriteTime

# If the repeater binary exposes file version metadata:
(Get-Item "C:\Path\To\repeater.exe").VersionInfo | Format-List *

Because no fixed version is confirmed in the provided references, an “upgrade command” cannot be honestly provided for a known-safe release. What defenders should do instead is stage and test the newest vendor-published build only after verifying release notes, tags, or an advisory that explicitly mentions CVE-2026-7840. If you maintain software deployment automation, document the upgrade as pending vendor confirmation rather than asserting remediation prematurely.

If disabling the admin interface is supported in your deployment, that is preferable to leaving it reachable. The exact setting or command is not confirmed in the provided sources, so validate against your local configuration and service documentation before making production changes. In environments where the HTTP service cannot be disabled quickly, place the host behind a VPN or reverse proxy ACL immediately.

References

Source URL
NVD CVE record https://nvd.nist.gov/vuln/detail/CVE-2026-7840
CISA KEV catalog https://www.cisa.gov/known-exploited-vulnerabilities-catalog
UltraVNC GitHub repository https://github.com/ultravnc/UltraVNC
UltraVNC official site https://uvnc.com/

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-07-01

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.