Skip to main content

UltraVNC CVE-2026-44041

| EUVDEUVD-2026-40878 MEDIUM
Out-of-bounds Read (CWE-125)
2026-07-01 securin GHSA-f9fh-23qv-g394
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (securin) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
vuln.today AI
4.2 MEDIUM

AC:H reflects the abnormal caller contract prerequisite; C:L added because adjacent memory disclosure is described as a realistic (if unreliable) outcome, overriding the vendor's C:N.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

2
CVSS changed
Jul 02, 2026 - 16:37 NVD
4.3 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Jul 01, 2026 - 05:27 vuln.today

DescriptionNVD

UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to wcslen() before any bounds check. If the caller provides a wide-character buffer that is not properly NUL-terminated, wcslen() reads past the end of the buffer until it encounters a NUL wchar, resulting in an out-of-bounds read. Under typical Win32 API usage this requires an abnormal caller contract. Impact is limited to a potential information disclosure from adjacent memory regions or a process crash (denial of service) if the over-read crosses a page boundary.

AnalysisAI

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the VNC server process or leak adjacent memory content via the vncWc2Mb() wide-string conversion helper in rfb/dh.cpp at line 204. The flaw is triggered when wcslen() is called on a caller-supplied WCHAR pointer without a preceding bounds check, enabling memory over-reads if the buffer lacks proper NUL termination. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid VNC credentials
Delivery
Authenticate to UltraVNC server on Windows
Exploit
Send crafted RFB message with non-NUL-terminated WCHAR buffer
Execution
Trigger vncWc2Mb() wcslen() over-read in rfb/dh.cpp:204
Impact
Crash server process or read adjacent memory

Vulnerability AssessmentAI

Exploitation Exploitation requires possession of valid VNC authentication credentials - the CVSS PR:L metric confirms low-privilege authenticated access is a prerequisite before the vulnerable vncWc2Mb() function can be reached. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L, score 4.3) places this at Medium severity with network reachability and a low-privilege requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid VNC credentials authenticates to an UltraVNC server and sends a crafted RFB protocol message containing a wide-character string field that lacks proper NUL termination, causing the server's vncWc2Mb() function to invoke wcslen() past the buffer boundary. Depending on memory layout at the time of the over-read, the outcome is either a server process crash when the read crosses a page boundary (denial of service) or silent consumption of adjacent memory content until a null wide-character is encountered. …
Remediation Monitor the UltraVNC vendor site at https://uvnc.com/ and the upstream GitHub repository at https://github.com/ultravnc/UltraVNC for a patched release beyond version 1.8.2.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2026-4962 MEDIUM POC
6.4 Mar 27

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2026-7840 CRITICAL
9.3 Jul 01

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac

CVE-2026-7839 CRITICAL
9.1 Jul 01

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r

CVE-2026-7838 HIGH
8.7 Jul 01

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa

CVE-2026-7831 HIGH
7.6 Jul 01

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in

CVE-2026-7830 HIGH
7.4 Jul 01

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h

CVE-2026-7829 HIGH
7.2 Jul 01

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup

CVE-2026-44040 MEDIUM
6.5 Jul 01

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr

CVE-2026-7828 MEDIUM
5.3 Jul 01

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun

CVE-2026-44042 LOW
3.7 Jul 01

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti

Share

CVE-2026-44041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy