Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
| Link | Providers |
|---|---|
| https://github.com/ultravnc/UltraVNC |
|
| https://uvnc.com/ |
|
Wed, 01 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Uvnc
Uvnc ultravnc |
|
| Vendors & Products |
Uvnc
Uvnc ultravnc |
Wed, 01 Jul 2026 05:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to wcslen() before any bounds check. If the caller provides a wide-character buffer that is not properly NUL-terminated, wcslen() reads past the end of the buffer until it encounters a NUL wchar, resulting in an out-of-bounds read. Under typical Win32 API usage this requires an abnormal caller contract. Impact is limited to a potential information disclosure from adjacent memory regions or a process crash (denial of service) if the over-read crosses a page boundary. | |
| Title | UltraVNC vncWc2Mb calls wcslen() before validating that the wide string is NUL-terminated | |
| Weaknesses | CWE-125 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: securin
Published:
Updated: 2026-07-01T13:10:40.100Z
Reserved: 2026-05-05T03:40:37.003Z
Link: CVE-2026-44041
Updated: 2026-07-01T13:10:35.463Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T13:30:15Z