1.1.0

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

valvesoftware

CWE-787

NVD

Published: 2020-12-02

Updated: 2022-04-12

Summary

Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long encrypted messages in function AES_GCM_DecryptContext::Decrypt() when compiled using libsodium, leading to a Stack-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code execution.

Vulnerable Configurations

Part	Description	Count
Application	Valvesoftware Valvesoftware Game Networking Sockets - Valvesoftware Game Networking Sockets 1.0.0 Valvesoftware Game Networking Sockets 1.1.0	3

Common Weakness Enumeration (CWE)

CWE-787 - Out-of-bounds Write

References

https://github.com/ValveSoftware/GameNetworkingSockets/commit/bea84e2844b647532a9b7fbc3a6a8989d66e49e3
https://research.checkpoint.com/2020/game-on-finding-vulnerabilities-in-valves-steam-sockets/