CVE-2026-44041 in UltraVNC
Summary
by MITRE • 07/01/2026
UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to wcslen() before any bounds check. If the caller provides a wide-character buffer that is not properly NUL-terminated, wcslen() reads past the end of the buffer until it encounters a NUL wchar, resulting in an out-of-bounds read. Under typical Win32 API usage this requires an abnormal caller contract. Impact is limited to a potential information disclosure from adjacent memory regions or a process crash (denial of service) if the over-read crosses a page boundary.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/01/2026
The vulnerability under discussion involves an out-of-bounds read condition within UltraVNC version 1.8.2.2, specifically within the rfb/dh.cpp file at line 204 in the vncWc2Mb() function. This flaw represents a classic buffer over-read scenario where the application fails to validate input boundaries before processing wide-character strings. The technical implementation demonstrates a failure in proper input sanitization where a caller-supplied WCHAR pointer is directly passed to the wcslen() function without prior bounds validation, creating an exploitable condition that violates fundamental security principles of input validation and memory safety.
The operational impact of this vulnerability manifests through two primary vectors of exploitation. First, the out-of-bounds read can potentially expose sensitive information from adjacent memory regions, which aligns with CWE-125: "Out-of-bounds Read" and represents a significant information disclosure risk. Second, if the over-read crosses page boundaries during memory access, it can cause process crashes leading to denial of service conditions that compromise system availability. This vulnerability operates under the ATT&CK framework category of T1059.007: "Command and Scripting Interpreter: Python" through indirect exploitation pathways where malicious input could trigger memory corruption issues.
The root cause stems from improper handling of wide-character string conversion processes within the VNC protocol implementation, specifically in how the application manages multibyte character encoding conversions. The vulnerability requires an abnormal caller contract to exploit effectively, meaning that typical Win32 API usage patterns would not normally trigger this condition. However, when a malicious or malformed wide-character buffer is provided to the vncWc2Mb() function, the lack of bounds checking creates a deterministic path for memory corruption. This flaw demonstrates poor adherence to secure coding practices and violates established security guidelines for string handling operations.
Mitigation strategies should focus on implementing robust input validation mechanisms before any string conversion operations occur. The most effective approach involves adding explicit bounds checking prior to calling wcslen() or using safer alternative functions that perform automatic bounds verification. Additionally, developers should consider implementing proper buffer overflow protection mechanisms such as stack canaries or Address Space Layout Randomization (ASLR) to limit the exploitability of such conditions. The fix should also include comprehensive testing with malformed input vectors to ensure that all code paths properly handle edge cases and prevent similar issues from occurring in related functions within the same codebase.