oM noM Security Feeds cve
vulnerability context

CVE-2026-7838

CVSS 8.8 HIGHCWE-190OTX 1 pulse

UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. In vncviewer/ClientConnection.cpp, the 4-byte network-supplied reasonLen field (type CARD32) is passed as reasonLen+1 to CheckBufferSize(). Because both operands are unsigned 32-bit, a reasonLen of 0xFFFFFFFF overflows to 0, causing CheckBufferSize to allocate only 256 bytes. The subsequent ReadString(m_netbuf, reasonLen) call then performs ReadExact for the original 4 GiB length into that 256-byte heap buffer. This overflow is reachable via rfbConnF...

Published 2026-07-01 · last modified 2026-07-01

details

CISA KEV status
Not in catalog
CVSS v3
8.8 / HIGH
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE
CWE-190
OTX pulses
1 total, 0 recent

source mentions 2

source consensus

  • Bluesky
Want the 3-bullet summary of CVE-2026-7838, plus webhook alerts when KEV is updated? Pro is $10/mo.