CVE-2026-7838
UltraVNC viewer through 1.8.2.2 contains an integer overflow leading to a heap buffer overflow in the RFB protocol failure-response parsing path. In vncviewer/ClientConnection.cpp, the 4-byte network-supplied reasonLen field type CARD32 is passed as reasonLen+1 to CheckBufferSize. Because both...