CVE-2026-44041
Received Received - Intake

Out-of-Bounds Read in UltraVNC DHCP Helper Function

Vulnerability report for CVE-2026-44041, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: securin

Description

UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to wcslen() before any bounds check. If the caller provides a wide-character buffer that is not properly NUL-terminated, wcslen() reads past the end of the buffer until it encounters a NUL wchar, resulting in an out-of-bounds read. Under typical Win32 API usage this requires an abnormal caller contract. Impact is limited to a potential information disclosure from adjacent memory regions or a process crash (denial of service) if the over-read crosses a page boundary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultravnc ultravnc to 1.8.2.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in UltraVNC through version 1.8.2.2 and involves an out-of-bounds read in a function that converts wide-character strings to multibyte strings. Specifically, the function vncWc2Mb() calls wcslen() on a wide-character buffer provided by the caller without first checking if the buffer is properly NUL-terminated. If the buffer is not correctly terminated, wcslen() reads beyond the intended memory area until it finds a NUL character, causing an out-of-bounds read.

This behavior can lead to either information disclosure from adjacent memory or a process crash (denial of service) if the read crosses a memory page boundary.

Compliance Impact

The vulnerability in UltraVNC through 1.8.2.2 involves an out-of-bounds read that could potentially lead to information disclosure from adjacent memory regions or a denial of service. However, the CVE description does not specify any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.

Since the vulnerability may cause limited information disclosure, organizations using UltraVNC should consider the potential risk of exposing sensitive data, which could indirectly affect compliance with data protection regulations. Nonetheless, no explicit connection to compliance requirements is provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, you should update UltraVNC to a version later than 1.8.2.2 where this out-of-bounds read issue is fixed.

Additionally, consider limiting network exposure of UltraVNC services to trusted networks only, and monitor for unusual crashes or information disclosure symptoms that may indicate exploitation attempts.

Impact Analysis

The impact of this vulnerability is limited but can be significant depending on the context. It can cause a process crash, resulting in denial of service, which may disrupt remote desktop access or support sessions.

Additionally, it may lead to information disclosure by reading adjacent memory areas, potentially exposing sensitive data unintentionally.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart