CVE-2026-44040
Received Received - Intake

Weak PRNG in UltraVNC Authentication Challenge

Vulnerability report for CVE-2026-44040, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: securin

Description

UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. In rfb/vncauth.c:119-129, the vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand() and generates a 16-byte challenge. The combined seed space is approximately 31 bits (libc rand() internal state) and is entirely determined by publicly-observable values (wall-clock time and process ID). An attacker who can observe the authentication exchange can enumerate the seed space and predict the challenge within seconds, enabling forgery or offline brute-forcing of responses. Note: on Windows, the active code path may use vncEncryptBytes2.cpp which calls CryptGenRandom; reachability on shipped Windows binaries requires compile-graph verification and is under investigation.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultravnc ultravnc 1.8.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in UltraVNC through version 1.8.2.2, where the software uses a cryptographically weak pseudo-random number generator to create VNC authentication challenge bytes.

Specifically, the function vncRandomBytes() seeds the libc rand() function with a combination of the current time, process ID, and a random number, resulting in a seed space of about 31 bits. Because these seed values are based on publicly observable data, an attacker can predict the challenge bytes by enumerating the seed space.

This predictability allows an attacker who can observe the authentication exchange to forge authentication challenges or perform offline brute-force attacks to guess responses.

Impact Analysis

The vulnerability can allow an attacker to predict authentication challenges in the UltraVNC authentication process.

This enables the attacker to forge authentication challenges or perform offline brute-force attacks to gain unauthorized access.

As a result, unauthorized users could potentially bypass authentication controls, compromising the security of systems using vulnerable UltraVNC versions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44040. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart