Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Web GUI is network-reachable with no auth required to submit credentials, but AC:H reflects the exact-length crafting requirement and current HTTP-layer constraint blocking practical exploitation.
Primary rating from Vendor (securin).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
1DescriptionNVD
UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). When strlen(authdata) equals sizeof(decode), the decoded output length (approximately 3/4 of input) does not overflow the buffer in current practice because the outer HTTP request bounds constrain the Authorization header. However, the defective check leaves a latent off-by-one condition that could become exploitable if the buffering constraints change. The current risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.
AnalysisAI
UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authentication Base64 decoder, where a strict greater-than comparison at repeater/webgui/webutils.c:817 fails to block an input whose length exactly equals the 1024-byte output buffer. Under current code, the outer HTTP request parser incidentally caps Authorization header length before the defect can produce an out-of-bounds write, making this vulnerability practically unexploitable in its present form - but the flaw is real and would become a one-byte stack write if upstream buffering constraints change. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network-level access to the UltraVNC Repeater's embedded HTTP web GUI management interface and the ability to send a crafted HTTP Basic authentication request with a Base64-encoded Authorization header payload whose raw length equals exactly `sizeof(decode)` (1024 bytes). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 3.7 with vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L is well-calibrated for the actual vulnerability: network-reachable via the web GUI (AV:N), but high attack complexity (AC:H) correctly captures the requirement for exact-length crafting plus the dependency on removing the incidental HTTP-layer constraint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to the UltraVNC Repeater web GUI constructs an HTTP GET or POST request with a Base64-encoded Authorization header payload crafted to be exactly `sizeof(decode)` (1024) bytes, which bypasses the defective `>` check in `wi_uudecode()` and causes the decoder to process a boundary-length input. Under the current codebase, the HTTP request layer's own input handling prevents the Authorization value from reaching the necessary size, blocking practical exploitation - but a hypothetical future refactor removing that constraint could enable a one-byte stack write that may cause a service crash. … |
| Remediation | Upgrade UltraVNC Repeater to a version that applies the one-character fix (changing `>` to `>=` at `repeater/webgui/webutils.c:817`) once a patched release is published; monitor the vendor advisory at https://uvnc.com/ and the upstream repository at https://github.com/ultravnc/UltraVNC for a confirmed fixed version number, which is not independently verifiable from currently available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow
UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi
UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow
Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac
Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r
Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa
Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in
Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h
Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup
Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V
UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can pr
Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun
Same weakness CWE-193 – Off-by-one Error
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40877
GHSA-gh7j-9w79-xm55