Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44041

CVE-2026-44041: UltraVNC Information Disclosure Flaw

CVE-2026-44041 is an information disclosure vulnerability in UltraVNC through version 1.8.2.2 caused by an out-of-bounds read. This article covers the technical details, affected versions, potential impact, and mitigation.

Published:

CVE-2026-44041 Overview

CVE-2026-44041 is an out-of-bounds read vulnerability in UltraVNC through version 1.8.2.2. The flaw resides in the vncWc2Mb() function in rfb/dh.cpp:204, which handles wide-string to multibyte conversion. The function passes a caller-supplied WCHAR pointer directly to wcslen() without bounds validation. When the input wide-character buffer lacks proper NUL termination, wcslen() reads past the buffer boundary until it encounters a NUL wide character. This condition can lead to information disclosure from adjacent memory or a process crash if the over-read crosses a page boundary [CWE-125].

Critical Impact

Attackers with network access can trigger an out-of-bounds read that may disclose adjacent memory contents or cause a denial of service on the UltraVNC process.

Affected Products

  • UltraVNC through version 1.8.2.2
  • Components using the rfb/dh.cpp wide-string conversion helper
  • Deployments exposing the UltraVNC RFB service over the network

Discovery Timeline

  • 2026-07-01 - CVE-2026-44041 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-44041

Vulnerability Analysis

The vulnerability exists inside the vncWc2Mb() helper defined in rfb/dh.cpp at line 204. This helper converts wide-character strings to multibyte strings and calls wcslen() on a WCHAR* argument supplied by the caller. Because wcslen() scans memory until it finds a NUL wide character, an unterminated buffer causes the function to read beyond the intended allocation.

The over-read may traverse arbitrary adjacent memory belonging to the same process. If the scan reaches an unmapped page, the process crashes and terminates the VNC session. If the scan remains inside mapped memory, the resulting multibyte conversion may leak the contents of neighboring allocations back to the caller.

Root Cause

The root cause is a missing length parameter and missing bounds validation on the wide-character input. The function relies on an implicit contract that callers always provide NUL-terminated buffers. Under typical Win32 API usage this contract holds, but any deviation — including malformed protocol data reaching the helper — invalidates the assumption and produces the out-of-bounds read.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker interacting with the UltraVNC service can attempt to influence data paths that reach vncWc2Mb() with a non-NUL-terminated wide-character buffer. Successful triggering results in either information disclosure from adjacent memory regions or a denial of service through process termination. There are no public exploits, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified proof-of-concept code is publicly available. Technical details are described in the GitHub UltraVNC Repository.

Detection Methods for CVE-2026-44041

Indicators of Compromise

  • Unexpected UltraVNC process crashes or restarts on hosts running version 1.8.2.2 or earlier.
  • Access violation exceptions in Windows Event Log referencing the UltraVNC service binary.
  • Anomalous inbound RFB protocol traffic to TCP port 5900 or configured UltraVNC ports.

Detection Strategies

  • Inventory endpoints and servers running UltraVNC and confirm installed versions against the affected range.
  • Monitor for repeated abnormal terminations of winvnc.exe or related UltraVNC processes.
  • Inspect network telemetry for malformed RFB handshake sequences targeting UltraVNC listeners.

Monitoring Recommendations

  • Enable Windows Error Reporting collection for UltraVNC binaries to capture crash dumps for analysis.
  • Alert on inbound connections to UltraVNC ports from untrusted network segments.
  • Correlate process crash events with source IP addresses of active VNC sessions.

How to Mitigate CVE-2026-44041

Immediate Actions Required

  • Restrict network exposure of UltraVNC services to trusted management networks only.
  • Place UltraVNC listeners behind VPN or bastion access controls until a fixed version is deployed.
  • Enforce strong authentication and encryption on all UltraVNC connections.

Patch Information

At the time of publication, no vendor advisory or fixed release is referenced in the NVD entry. Monitor the GitHub UltraVNC Repository and the UltraVNC Official Website for updated releases addressing the vncWc2Mb() boundary handling.

Workarounds

  • Block inbound access to UltraVNC ports at the perimeter firewall from untrusted sources.
  • Segment management VLANs so only authorized administrator workstations can reach VNC endpoints.
  • Consider disabling UltraVNC on non-critical hosts until a patched version is available.
bash
# Configuration example: restrict UltraVNC listener to trusted subnet via Windows Firewall
netsh advfirewall firewall add rule name="UltraVNC Restrict" ^
  dir=in action=allow protocol=TCP localport=5900 ^
  remoteip=10.10.0.0/24 program="C:\Program Files\uvnc bvba\UltraVNC\winvnc.exe"
netsh advfirewall firewall add rule name="UltraVNC Block All" ^
  dir=in action=block protocol=TCP localport=5900

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.