{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44040","assignerOrgId":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","state":"PUBLISHED","assignerShortName":"securin","dateReserved":"2026-05-05T03:40:37.003Z","datePublished":"2026-07-01T03:33:20.355Z","dateUpdated":"2026-07-09T04:36:05.643Z"},"containers":{"cna":{"title":"UltraVNC vncauth.c uses time-seeded libc rand() to generate VNC authentication challenge bytes","descriptions":[{"lang":"en","value":"UltraVNC through 1.8.2.2 uses a cryptographically weak pseudo-random number generator to produce VNC authentication challenge bytes. In rfb/vncauth.c:119-129, the vncRandomBytes() function seeds libc rand() with time(0) + getpid() + rand() and generates a 16-byte challenge. The combined seed space is approximately 31 bits (libc rand() internal state) and is entirely determined by publicly-observable values (wall-clock time and process ID). An attacker who can observe the authentication exchange can enumerate the seed space and predict the challenge within seconds, enabling forgery or offline brute-forcing of responses. Note: on Windows, the active code path may use vncEncryptBytes2.cpp which calls CryptGenRandom; reachability on shipped Windows binaries requires compile-graph verification and is under investigation."}],"affected":[{"vendor":"uvnc","product":"UltraVNC","versions":[{"version":"0","lessThanOrEqual":"1.8.2.2","status":"affected","versionType":"custom"}],"defaultStatus":"unaffected","modules":["winvnc","vncviewer"]}],"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-338","lang":"en","description":"Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"}]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":4.8,"baseSeverity":"MEDIUM"}}],"references":[{"url":"https://uvnc.com/","name":"UltraVNC project page","tags":["vendor-advisory"]},{"url":"https://github.com/ultravnc/UltraVNC","name":"UltraVNC source repository","tags":["product"]},{"url":"https://www.securin.io/zero-days/cve-2026-44040-libc-rand-weak-rng-vnc-auth-challenge-ultravnc"}],"timeline":[{"time":"2026-06-02T00:00:00.000Z","lang":"en","value":"Vulnerability discovered during security audit"},{"time":"2026-06-17T00:00:00.000Z","lang":"en","value":"Reported to vendor (coordinated disclosure)"},{"time":"2026-09-15T00:00:00.000Z","lang":"en","value":"Planned public disclosure (90-day window)"}],"credits":[{"lang":"en","value":"Arjun Basnet, Securin (arjun.basnet@securin.io)","type":"finder"}],"source":{"discovery":"EXTERNAL","advisory":"Securin Security Advisory — FINDING-001"},"providerMetadata":{"orgId":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","shortName":"securin","dateUpdated":"2026-07-09T04:36:05.643Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-01T12:44:56.012420Z","id":"CVE-2026-44040","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-01T12:45:04.706Z"}}]}}