CVE-2026-44042
Received Received - Intake

UltraVNC Repeater Off-by-One Authentication Bypass

Vulnerability report for CVE-2026-44042, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: securin

Description

UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). When strlen(authdata) equals sizeof(decode), the decoded output length (approximately 3/4 of input) does not overflow the buffer in current practice because the outer HTTP request bounds constrain the Authorization header. However, the defective check leaves a latent off-by-one condition that could become exploitable if the buffering constraints change. The current risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
ultravnc repeater 1.8.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an off-by-one error in the Base64 decode helper function used for HTTP Basic authentication in UltraVNC repeater versions through 1.8.2.2. Specifically, the function wi_uudecode() incorrectly checks the input length against the output buffer size using a strict greater-than comparison instead of a greater-than-or-equal comparison. This means that when the input length exactly matches the buffer size, the function may write one byte beyond the intended boundary.

Although current usage constraints prevent this from causing a buffer overflow due to limits on the HTTP Authorization header size, the latent off-by-one error could become exploitable if those constraints change.

Impact Analysis

The impact of this vulnerability is currently limited. It can cause a one-byte write beyond the boundary of a 1024-byte stack buffer under specific constrained conditions. This could potentially lead to memory corruption.

However, because the HTTP request bounds currently constrain the Authorization header size, this off-by-one error does not result in a buffer overflow in practice. The risk remains latent but could increase if buffering constraints are altered.

The CVSS score of 3.7 reflects a low severity impact, with no confidentiality, integrity, or user interaction impact, but a low-level availability impact.

Compliance Impact

The vulnerability described is an off-by-one error in the Base64 decode helper used for HTTP Basic authentication in UltraVNC repeater. It results in a limited risk of a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions. There is no indication in the provided information that this vulnerability leads to data disclosure, unauthorized access, or other impacts that would directly affect compliance with common standards and regulations such as GDPR or HIPAA.

Therefore, based on the available information, this vulnerability does not appear to have a direct impact on compliance with regulations like GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart