Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
| Link | Providers |
|---|---|
| https://github.com/ultravnc/UltraVNC |
|
| https://uvnc.com/ |
|
Wed, 01 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Uvnc
Uvnc ultravnc |
|
| Vendors & Products |
Uvnc
Uvnc ultravnc |
Wed, 01 Jul 2026 05:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. In rfb/vncauth.c:119-129, the vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand() and generates a 16-byte challenge. The combined seed space is approximately 31 bits (libc rand() internal state) and is entirely determined by publicly-observable values (wall-clock time and process ID). An attacker who can observe the authentication exchange can enumerate the seed space and predict the challenge within seconds, enabling forgery or offline brute-forcing of responses. Note: on Windows, the active code path may use vncEncryptBytes2.cpp which calls CryptGenRandom; reachability on shipped Windows binaries requires compile-graph verification and is under investigation. | |
| Title | UltraVNC vncauth.c uses time-seeded libc rand() to generate VNC authentication challenge bytes | |
| Weaknesses | CWE-338 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: securin
Published:
Updated: 2026-07-01T12:45:04.706Z
Reserved: 2026-05-05T03:40:37.003Z
Link: CVE-2026-44040
Updated: 2026-07-01T12:45:00.742Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T13:30:15Z