Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44042

CVE-2026-44042: UltraVNC Buffer Overflow Vulnerability

CVE-2026-44042 is a buffer overflow flaw in UltraVNC repeater through version 1.8.2.2 affecting HTTP Basic authentication. This post covers the technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-44042 Overview

CVE-2026-44042 is an off-by-one error [CWE-193] in UltraVNC repeater through version 1.8.2.2. The flaw resides in the wi_uudecode() function at repeater/webgui/webutils.c:817, which handles Base64 decoding for HTTP Basic authentication. The function uses a strict greater-than comparison (>) instead of greater-than-or-equal (>=) when validating input length against the output buffer size. This defect creates a latent one-byte write condition at the boundary of a 1024-byte stack buffer.

Critical Impact

A one-byte out-of-bounds write can occur at the boundary of a 1024-byte stack buffer under constrained conditions, currently limited by outer HTTP request buffering.

Affected Products

  • UltraVNC repeater versions through 1.8.2.2
  • Deployments exposing the repeater HTTP web GUI to network clients
  • Systems using HTTP Basic authentication on the repeater component

Discovery Timeline

  • 2026-07-01 - CVE-2026-44042 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-44042

Vulnerability Analysis

The vulnerability affects the Base64 decode helper wi_uudecode() used during HTTP Basic authentication parsing in the UltraVNC repeater web GUI. The decoder receives the authdata string extracted from the Authorization header and writes the decoded bytes into a fixed-size stack buffer named decode, which is 1024 bytes in size.

The length check compares strlen(authdata) against sizeof(decode) using a strict greater-than operator. When the input length equals the buffer size exactly, the check passes and decoding proceeds. Because Base64 decoding produces approximately 3/4 of the input size, the decoded payload does not currently exceed the buffer in typical deployments. The outer HTTP request handler constrains the header length, limiting exploitation.

However, the boundary condition remains latent. Changes to the surrounding buffering logic or the introduction of longer authorization headers could convert the flaw into a functional one-byte stack write.

Root Cause

The root cause is an incorrect boundary comparison. The code uses if (strlen(authdata) > sizeof(decode)) where the correct guard is >=. This off-by-one error [CWE-193] allows input lengths equal to the destination buffer size to bypass the validation, permitting a single-byte overflow condition at the write boundary.

Attack Vector

An unauthenticated network attacker can send a crafted HTTP request with an Authorization: Basic header containing carefully sized Base64 data. The attack requires network reachability to the repeater HTTP interface. Exploitation complexity is high because current HTTP request buffering in the surrounding code constrains the input length before it reaches the decoder. No user interaction or privileges are required.

The vulnerability manifests in the Base64 decoding path invoked during HTTP Basic authentication. See the GitHub UltraVNC Repository for source-level details.

Detection Methods for CVE-2026-44042

Indicators of Compromise

  • HTTP requests to the UltraVNC repeater web GUI containing unusually long Authorization: Basic headers approaching 1024 bytes
  • Repeated authentication failures from the same source targeting the repeater HTTP endpoint
  • Unexpected process crashes or memory corruption signatures in the repeater service logs

Detection Strategies

  • Inspect web server and repeater logs for Authorization headers with payload lengths near the 1024-byte boundary
  • Deploy web application firewall rules that reject Authorization header values exceeding a conservative maximum length
  • Monitor UltraVNC repeater process integrity for crashes indicative of stack corruption

Monitoring Recommendations

  • Enable verbose logging on the repeater web GUI to capture full request headers for forensic review
  • Track network flows to the repeater HTTP port and alert on anomalous request sizes
  • Correlate repeater service restarts with preceding HTTP requests to identify probing attempts

How to Mitigate CVE-2026-44042

Immediate Actions Required

  • Restrict network access to the UltraVNC repeater HTTP web GUI using firewall rules or network segmentation
  • Disable HTTP Basic authentication on the repeater if the web GUI is not required for operations
  • Audit exposed UltraVNC repeater instances and remove those that are not actively used

Patch Information

No vendor patch identifier is listed in the enriched CVE data at the time of publication. Consult the GitHub UltraVNC Repository and the UltraVNC Official Website for the latest builds and fix status for versions after 1.8.2.2.

Workarounds

  • Place the repeater behind a reverse proxy that enforces strict limits on Authorization header length
  • Bind the repeater web GUI to loopback or an internal management network only
  • Require VPN or bastion access before connections to the repeater HTTP interface are permitted
bash
# Example iptables rule limiting access to trusted management subnet
iptables -A INPUT -p tcp --dport 5912 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5912 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.