CVE Catalog

CVE-2026-44042

LowCVSS 3.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile — higher than 23% of all known CVEs

Summary

UltraVNC repeater through version 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In webutils.c:817, the wi_uudecode() function checks if input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). Currently, the risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.

Risk Assessment

The risk for the organization is currently low, but the flaw could become exploitable in the future if buffering constraints change, potentially leading to data integrity compromise or code execution.

Recommendation

It is recommended to update UltraVNC repeater to the latest version that fixes this vulnerability and monitor vendor announcements for patches.

Original NVD description (English source)

UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). When strlen(authdata) equals sizeof(decode), the decoded output length (approximately 3/4 of input) does not overflow the buffer in current practice because the outer HTTP request bounds constrain the Authorization header. However, the defective check leaves a latent off-by-one condition that could become exploitable if the buffering constraints change. The current risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS