{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-7829","assignerOrgId":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","state":"PUBLISHED","assignerShortName":"securin","dateReserved":"2026-05-05T03:40:57.359Z","datePublished":"2026-07-01T03:33:22.888Z","dateUpdated":"2026-07-09T04:35:47.621Z"},"containers":{"cna":{"title":"UltraVNC repeater authenticated out-of-bounds write in rule parser via oversized token","descriptions":[{"lang":"en","value":"UltraVNC repeater through 1.8.2.2 contains a post-authentication out-of-bounds write in the allow/deny rule parser. In repeater/webgui/settings.c:225-272, after strncpy_s copies a rule token into temp1[rule1] (25-byte destination) or temp2/temp3 (16-byte destination), the code unconditionally writes a NUL terminator at temp1[rule1][len] = 0 without clamping len to the destination size. When an authenticated administrator saves a rule with a token length equal to or greater than the destination size, the NUL byte is written one or more bytes past the end of the stack-allocated array, corrupting adjacent stack data. An attacker who has obtained admin credentials (including via CVE-2026-7839 default password) can trigger this to gain code execution on the repeater host."}],"affected":[{"vendor":"uvnc","product":"UltraVNC","versions":[{"version":"0","lessThanOrEqual":"1.8.2.2","status":"affected","versionType":"custom"}],"defaultStatus":"unaffected","modules":["repeater"]}],"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-787","lang":"en","description":"Out-of-bounds Write"}]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":7.2,"baseSeverity":"HIGH"}}],"references":[{"url":"https://uvnc.com/","name":"UltraVNC project page","tags":["vendor-advisory"]},{"url":"https://github.com/ultravnc/UltraVNC","name":"UltraVNC source repository","tags":["product"]},{"url":"https://www.securin.io/zero-days/cve-2026-7829-post-auth-oob-nul-write-repeater-rule-parser-ultravnc"}],"timeline":[{"time":"2026-06-02T00:00:00.000Z","lang":"en","value":"Vulnerability discovered during security audit"},{"time":"2026-06-17T00:00:00.000Z","lang":"en","value":"Reported to vendor (coordinated disclosure)"},{"time":"2026-09-15T00:00:00.000Z","lang":"en","value":"Planned public disclosure (90-day window)"}],"credits":[{"lang":"en","value":"Arjun Basnet, Securin (arjun.basnet@securin.io)","type":"finder"}],"source":{"discovery":"EXTERNAL","advisory":"Securin Security Advisory — FINDING-007"},"providerMetadata":{"orgId":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","shortName":"securin","dateUpdated":"2026-07-09T04:35:47.621Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-01T13:13:45.463427Z","id":"CVE-2026-7829","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-01T13:13:52.948Z"}}]}}