GHSA-95qw-xpp9-h343 · Severity: critical — UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP...
UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP administration server. The functions wi_senderr() and wi_replyhdr() in repeater/webgui/webutils.c write the caller-supplied HTTP request URI into a fixed 1000-byte global buffer (hdrbuf) via unchecked sprintf calls. The HTTP receive buffer accepts URIs up to approximately 150 KB (WI_RXBUFSIZE = 153600), so an unauthenticated attacker who can reach the repeater HTTP port (default TCP 80) can overflow hdrbuf by at least 500 bytes with a single HTTP request containing a URI of 1500 bytes or longer, corrupting adjacent .bss-segment globals. The overflow occurs before any authentication check, making it reachable without credentials. A remote, unauthenticated attacker can achieve arbitrary code execution on the host running the repeater.
Conclusion & alert: CVE-2026-7840 is rated Moderate Risk (61.9/100): CVSS Critical severity, with medium exploitation likelihood (EPSS 1.44%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-09 | 1.20% | 1.44% | +0.24% |
| 2 | 2026-07-01 | — | 1.20% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.3 | 4.0 | CRITICAL |
|
— | — | 33c584b5-0579-4c06-b2a0-8d8329fcab9c |
| 9.8 | 3.1 | CRITICAL |
|
3.9 | 5.9 | 33c584b5-0579-4c06-b2a0-8d8329fcab9c |
GHSA-95qw-xpp9-h343 · Severity: critical — UltraVNC repeater through 1.8.2.2 contains a global buffer overflow in its embedded HTTP...