CVE-2026-44042: Off-by-one Error in uvnc UltraVNC
UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). When strlen(authdata) equals sizeof(decode), the decoded output length (approximately 3/4 of input) does not overflow the buffer in current practice because the outer HTTP request bounds constrain the Authorization header. However, the defective check leaves a latent off-by-one condition that could become exploitable if the buffering constraints change. The current risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.
AI Analysis
Technical Summary
CVE-2026-44042 is an off-by-one vulnerability in UltraVNC repeater (up to version 1.8.2.2) within the Base64 decode helper function (wi_uudecode) used for HTTP Basic authentication. The function incorrectly uses a strict greater-than (>) comparison instead of greater-than-or-equal (>=) when checking input length against the output buffer size. This results in a latent off-by-one condition that could cause a one-byte write at the boundary of a 1024-byte stack buffer. Although the current HTTP request size constraints prevent buffer overflow in practice, changes to these constraints could make the vulnerability exploitable. The CVSS 3.1 score is 3.7 (low), reflecting limited impact and exploitability.
Potential Impact
The vulnerability allows a potential one-byte buffer overwrite on the stack under constrained conditions. There is no impact on confidentiality, integrity, or availability currently demonstrated. Exploitation is limited by HTTP request size restrictions, and no known exploits exist in the wild. The risk is low and primarily theoretical unless buffering constraints change.
Mitigation Recommendations
No official patch or remediation level has been published yet. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance. Until a fix is available, be aware of the limited risk due to current HTTP request size constraints. No immediate action is required beyond monitoring for vendor updates.
CVE-2026-44042: Off-by-one Error in uvnc UltraVNC
Description
UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). When strlen(authdata) equals sizeof(decode), the decoded output length (approximately 3/4 of input) does not overflow the buffer in current practice because the outer HTTP request bounds constrain the Authorization header. However, the defective check leaves a latent off-by-one condition that could become exploitable if the buffering constraints change. The current risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.
CVSS v3.1
Score 3.7low
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-44042 is an off-by-one vulnerability in UltraVNC repeater (up to version 1.8.2.2) within the Base64 decode helper function (wi_uudecode) used for HTTP Basic authentication. The function incorrectly uses a strict greater-than (>) comparison instead of greater-than-or-equal (>=) when checking input length against the output buffer size. This results in a latent off-by-one condition that could cause a one-byte write at the boundary of a 1024-byte stack buffer. Although the current HTTP request size constraints prevent buffer overflow in practice, changes to these constraints could make the vulnerability exploitable. The CVSS 3.1 score is 3.7 (low), reflecting limited impact and exploitability.
Potential Impact
The vulnerability allows a potential one-byte buffer overwrite on the stack under constrained conditions. There is no impact on confidentiality, integrity, or availability currently demonstrated. Exploitation is limited by HTTP request size restrictions, and no known exploits exist in the wild. The risk is low and primarily theoretical unless buffering constraints change.
Mitigation Recommendations
No official patch or remediation level has been published yet. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance. Until a fix is available, be aware of the limited risk due to current HTTP request size constraints. No immediate action is required beyond monitoring for vendor updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- securin
- Date Reserved
- 2026-05-05T03:40:37.003Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a44a07a27e9c79719fbd715
Added to database: 07/01/2026, 05:07:06 UTC
Last enriched: 07/01/2026, 05:22:42 UTC
Last updated: 07/02/2026, 01:22:12 UTC
Views: 59
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.