CVE-2026-3787 - Clarification
Posted: 2026-03-11 20:55
Information about CVE-2026-3787:
- https://www.cvedetails.com/cve/CVE-2026-3787/
The prerequisites are significant:
- An attacker needs to place a fake cryptbase.dll in the application directory (e.g. C:\Program Files\UltraVNC).
To be able to do that he needs "write access" to the install directory - which on a standard Windows installation requires a "Local Administrator" account or explicit ACL grants.
- If an attacker has admin access, he can replace any files like winvnc.exe cmd.exe by his own version.
A fix is needed for:
- Compliance/audit requirements - security scanners flag the missing flag regardless of exploitability, so fixing it makes the product pass audits (STIG, CIS, etc.).
We have added some protection against this in upcoming version, this protects winvnc.exe from using a fake cryptbase.dll after an administrator had filed it in the UltraVNC folder...
Important:
- If an attacker has an admin access, he actual do what he wants, not only replacing a Windows DLL.
Download a development UltraVNC version:
- https://forum.uvnc.com/viewtopic.php?t=38134
- https://uvnc.eu/download/1710/UltraVNC_17111-dev.zip
- https://uvnc.eu/download/1710/UltraVNC_ ... _Setup.exe
- https://uvnc.eu/download/1710/UltraVNC_ ... _Setup.exe
- https://www.cvedetails.com/cve/CVE-2026-3787/
The prerequisites are significant:
- An attacker needs to place a fake cryptbase.dll in the application directory (e.g. C:\Program Files\UltraVNC).
To be able to do that he needs "write access" to the install directory - which on a standard Windows installation requires a "Local Administrator" account or explicit ACL grants.
- If an attacker has admin access, he can replace any files like winvnc.exe cmd.exe by his own version.
A fix is needed for:
- Compliance/audit requirements - security scanners flag the missing flag regardless of exploitability, so fixing it makes the product pass audits (STIG, CIS, etc.).
We have added some protection against this in upcoming version, this protects winvnc.exe from using a fake cryptbase.dll after an administrator had filed it in the UltraVNC folder...
Important:
- If an attacker has an admin access, he actual do what he wants, not only replacing a Windows DLL.
Download a development UltraVNC version:
- https://forum.uvnc.com/viewtopic.php?t=38134
- https://uvnc.eu/download/1710/UltraVNC_17111-dev.zip
- https://uvnc.eu/download/1710/UltraVNC_ ... _Setup.exe
- https://uvnc.eu/download/1710/UltraVNC_ ... _Setup.exe