Skip to main content

UltraVNC Repeater CVE-2026-44042

| EUVDEUVD-2026-40877 LOW
Off-by-one Error (CWE-193)
2026-07-01 securin GHSA-gh7j-9w79-xm55
3.7
CVSS 3.1 · NVD

Severity by source

Vendor (securin) PRIMARY
LOW
qualitative
NVD
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.7 LOW

Web GUI is network-reachable with no auth required to submit credentials, but AC:H reflects the exact-length crafting requirement and current HTTP-layer constraint blocking practical exploitation.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 05:27 vuln.today

DescriptionNVD

UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). When strlen(authdata) equals sizeof(decode), the decoded output length (approximately 3/4 of input) does not overflow the buffer in current practice because the outer HTTP request bounds constrain the Authorization header. However, the defective check leaves a latent off-by-one condition that could become exploitable if the buffering constraints change. The current risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.

AnalysisAI

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authentication Base64 decoder, where a strict greater-than comparison at repeater/webgui/webutils.c:817 fails to block an input whose length exactly equals the 1024-byte output buffer. Under current code, the outer HTTP request parser incidentally caps Authorization header length before the defect can produce an out-of-bounds write, making this vulnerability practically unexploitable in its present form - but the flaw is real and would become a one-byte stack write if upstream buffering constraints change. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed UltraVNC Repeater web GUI port
Delivery
Craft HTTP request with exact 1024-byte Base64 Authorization header
Exploit
Bypass defective `>` boundary check in wi_uudecode()
Execution
Trigger one-byte write at 1024-byte stack buffer boundary
Impact
Potential Repeater process crash (availability impact)

Vulnerability AssessmentAI

Exploitation Exploitation requires network-level access to the UltraVNC Repeater's embedded HTTP web GUI management interface and the ability to send a crafted HTTP Basic authentication request with a Base64-encoded Authorization header payload whose raw length equals exactly `sizeof(decode)` (1024 bytes). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 3.7 with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L is well-calibrated for the actual vulnerability: network-reachable via the web GUI (AV:N), but high attack complexity (AC:H) correctly captures the requirement for exact-length crafting plus the dependency on removing the incidental HTTP-layer constraint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to the UltraVNC Repeater web GUI constructs an HTTP GET or POST request with a Base64-encoded Authorization header payload crafted to be exactly `sizeof(decode)` (1024) bytes, which bypasses the defective `>` check in `wi_uudecode()` and causes the decoder to process a boundary-length input. Under the current codebase, the HTTP request layer's own input handling prevents the Authorization value from reaching the necessary size, blocking practical exploitation - but a hypothetical future refactor removing that constraint could enable a one-byte stack write that may cause a service crash. …
Remediation Upgrade UltraVNC Repeater to a version that applies the one-character fix (changing `>` to `>=` at `repeater/webgui/webutils.c:817`) once a patched release is published; monitor the vendor advisory at https://uvnc.com/ and the upstream repository at https://github.com/ultravnc/UltraVNC for a confirmed fixed version number, which is not independently verifiable from currently available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2026-4962 MEDIUM POC
6.4 Mar 27

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2026-7840 CRITICAL
9.3 Jul 01

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac

CVE-2026-7839 CRITICAL
9.1 Jul 01

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r

CVE-2026-7838 HIGH
8.7 Jul 01

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa

CVE-2026-7831 HIGH
7.6 Jul 01

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in

CVE-2026-7830 HIGH
7.4 Jul 01

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h

CVE-2026-7829 HIGH
7.2 Jul 01

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup

CVE-2026-44041 MEDIUM
6.5 Jul 01

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V

CVE-2026-44040 MEDIUM
6.5 Jul 01

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr

CVE-2026-7828 MEDIUM
5.3 Jul 01

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun

Share

CVE-2026-44042 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy