{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-44042","assignerOrgId":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","state":"PUBLISHED","assignerShortName":"securin","dateReserved":"2026-05-05T03:40:37.003Z","datePublished":"2026-07-01T03:33:07.511Z","dateUpdated":"2026-07-09T04:36:12.685Z"},"containers":{"cna":{"title":"UltraVNC repeater wi_uudecode off-by-one in base64 decode boundary check","descriptions":[{"lang":"en","value":"UltraVNC repeater through 1.8.2.2 contains an off-by-one error in the Base64 decode helper used for HTTP Basic authentication. In repeater/webgui/webutils.c:817, the wi_uudecode() function checks whether the input length exceeds the output buffer with a strict greater-than comparison (>), while the correct check should be greater-than-or-equal (>=). When strlen(authdata) equals sizeof(decode), the decoded output length (approximately 3/4 of input) does not overflow the buffer in current practice because the outer HTTP request bounds constrain the Authorization header. However, the defective check leaves a latent off-by-one condition that could become exploitable if the buffering constraints change. The current risk is limited to a one-byte write at the boundary of a 1024-byte stack buffer under constrained conditions."}],"affected":[{"vendor":"uvnc","product":"UltraVNC","versions":[{"version":"0","lessThanOrEqual":"1.8.2.2","status":"affected","versionType":"custom"}],"defaultStatus":"unaffected","modules":["repeater"]}],"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-193","lang":"en","description":"Off-by-one Error"}]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"LOW","baseScore":3.7,"baseSeverity":"LOW"}}],"references":[{"url":"https://uvnc.com/","name":"UltraVNC project page","tags":["vendor-advisory"]},{"url":"https://github.com/ultravnc/UltraVNC","name":"UltraVNC source repository","tags":["product"]},{"url":"https://www.securin.io/zero-days/cve-2026-44042-wi-uudecode-off-by-one-bounded-ultravnc-repeater"}],"timeline":[{"time":"2026-06-02T00:00:00.000Z","lang":"en","value":"Vulnerability discovered during security audit"},{"time":"2026-06-17T00:00:00.000Z","lang":"en","value":"Reported to vendor (coordinated disclosure)"},{"time":"2026-09-15T00:00:00.000Z","lang":"en","value":"Planned public disclosure (90-day window)"}],"credits":[{"lang":"en","value":"Arjun Basnet, Securin (arjun.basnet@securin.io)","type":"finder"}],"source":{"discovery":"EXTERNAL","advisory":"Securin Security Advisory — FINDING-008"},"providerMetadata":{"orgId":"33c584b5-0579-4c06-b2a0-8d8329fcab9c","shortName":"securin","dateUpdated":"2026-07-09T04:36:12.685Z"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-01T13:08:54.695763Z","id":"CVE-2026-44042","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-01T13:09:24.760Z"}}]}}