Skip to main content

UltraVNC EUVDEUVD-2026-40879

| CVE-2026-44040 MEDIUM
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)
2026-07-01 securin GHSA-j37g-g7hg-vhg6
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (securin) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
7.4 HIGH

Successful auth bypass grants full desktop visibility and control (C:H/I:H); AC:H retained because attacker must observe a live challenge exchange to enumerate the seed.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (securin).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 02, 2026 - 16:37 NVD
4.8 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Jul 01, 2026 - 05:28 vuln.today
CVE Published
Jul 01, 2026 - 03:33 cve.org
MEDIUM 4.8

DescriptionNVD

UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. In rfb/vncauth.c:119-129, the vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand() and generates a 16-byte challenge. The combined seed space is approximately 31 bits (libc rand() internal state) and is entirely determined by publicly-observable values (wall-clock time and process ID). An attacker who can observe the authentication exchange can enumerate the seed space and predict the challenge within seconds, enabling forgery or offline brute-forcing of responses. Note: on Windows, the active code path may use vncEncryptBytes2.cpp which calls CryptGenRandom; reachability on shipped Windows binaries requires compile-graph verification and is under investigation.

AnalysisAI

UltraVNC through 1.8.2.2 exposes a cryptographically weak VNC authentication challenge generator that an attacker can predict by observing network traffic and enumerating a roughly 31-bit seed space derived from wall-clock time and process ID. Successful seed reconstruction allows the attacker to forge or brute-force valid VNC authentication responses, effectively bypassing the RFB challenge-response mechanism and gaining unauthorized remote desktop access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Position to observe VNC network traffic
Delivery
Capture cleartext RFB 16-byte challenge
Exploit
Record wall-clock time and observable process context
Install
Enumerate ~31-bit seed space offline
C2
Reconstruct predicted challenge
Execute
Submit forged authentication response
Impact
Gain unauthorized VNC desktop session

Vulnerability AssessmentAI

Exploitation Exploitation requires that the attacker be able to passively observe the VNC RFB authentication exchange over the network - specifically, the 16-byte challenge transmitted in cleartext during the VNC security handshake. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N scores 4.8 (Medium), with AC:H reflecting the attacker's need to observe the authentication exchange and enumerate the seed space under timing constraints. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with visibility into VNC network traffic - via a compromised network segment, ARP spoofing, or a tap - captures the 16-byte RFB challenge transmitted in cleartext during a legitimate VNC login attempt. Using the known seed formula (time(0) + getpid() + rand()), the attacker enumerates approximately 2 billion seed candidates on commodity hardware, reconstructs the nonce, and submits a forged authentication response to establish an unauthorized VNC session. …
Remediation No vendor-released patch has been identified at time of analysis - the available references point only to the vendor homepage (https://uvnc.com/) and the GitHub repository (https://github.com/ultravnc/UltraVNC) without specifying a fixed release version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-37133 HIGH POC
7.5 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allow

CVE-2026-4962 MEDIUM POC
6.4 Mar 27

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Servi

CVE-2020-37132 MEDIUM POC
6.2 Feb 05

UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allow

CVE-2026-7840 CRITICAL
9.3 Jul 01

Remote code execution in the UltraVNC repeater (through version 1.8.2.2) allows an unauthenticated attacker who can reac

CVE-2026-7839 CRITICAL
9.1 Jul 01

Authentication via hardcoded default credentials in UltraVNC repeater through 1.8.2.2 lets any remote attacker who can r

CVE-2026-7838 HIGH
8.7 Jul 01

Remote code execution in the UltraVNC Viewer (all versions through 1.8.2.2) stems from an integer overflow in the RFB fa

CVE-2026-7831 HIGH
7.6 Jul 01

Denial of service in the UltraVNC viewer (vncviewer) through 1.8.2.2 arises from an off-by-one stack buffer overflow in

CVE-2026-7830 HIGH
7.4 Jul 01

Credential disclosure in UltraVNC through 1.8.2.2 lets a passive network observer break the MS-Logon II authentication h

CVE-2026-7829 HIGH
7.2 Jul 01

Remote code execution in the UltraVNC Repeater (through version 1.8.2.2) allows an authenticated administrator to corrup

CVE-2026-44041 MEDIUM
6.5 Jul 01

Out-of-bounds read in UltraVNC through version 1.8.2.2 allows network-authenticated attackers to potentially crash the V

CVE-2026-7828 MEDIUM
5.3 Jul 01

Heap buffer overflow in UltraVNC Repeater through 1.8.2.2 stems from an integer overflow in the HTTP request logging fun

CVE-2026-44042 LOW
3.7 Jul 01

UltraVNC Repeater through 1.8.2.2 harbors a latent off-by-one stack buffer boundary condition in its HTTP Basic authenti

Share

EUVD-2026-40879 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy