CVE-2026-44041
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. The vncWc2Mb() function in rfb/dh.cpp:204 calls wcslen() on a caller-supplied WCHAR pointer without prior bounds check, potentially reading past the buffer.
Risk Assessment
Risk includes potential information disclosure from adjacent memory regions or a process crash (denial of service) if the over-read crosses a page boundary. This vulnerability requires an abnormal caller contract under typical Win32 API usage.
Recommendation
Upgrade UltraVNC to the latest version that fixes this vulnerability. If upgrade is not possible, restrict VNC server access to trusted clients only.
Original NVD description (English source)
UltraVNC through 1.8.2.2 contains an out-of-bounds read in the wide-string to multibyte conversion helper. In rfb/dh.cpp:204, the vncWc2Mb() function passes a caller-supplied WCHAR pointer to wcslen() before any bounds check. If the caller provides a wide-character buffer that is not properly NUL-terminated, wcslen() reads past the end of the buffer until it encounters a NUL wchar, resulting in an out-of-bounds read. Under typical Win32 API usage this requires an abnormal caller contract. Impact is limited to a potential information disclosure from adjacent memory regions or a process crash (denial of service) if the over-read crosses a page boundary.

