CVE-2016-5237

MEDIUM

Valve SteamOS < 3.42.16.13 - Local Privilege Escalation via Weak File Permissions

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-5237. PoCs published by Gregory Smiley.

AI-analyzed exploit summary This exploit describes a local privilege escalation vulnerability in Valve Steam due to weak file permissions, allowing users in the BUILTIN\Users group to modify executable files in the Steam directory. The proof of concept involves replacing Steam.exe or related files with malicious code.

Description

Valve Steam 3.42.16.13 uses weak permissions for the files in the Steam program directory, which allows local users to modify the files and possibly gain privileges as demonstrated by a Trojan horse Steam.exe file.

Exploits (1)

exploitdb WRITEUP
by Gregory Smiley · textlocalwindows
https://www.exploit-db.com/exploits/39888

This exploit describes a local privilege escalation vulnerability in Valve Steam due to weak file permissions, allowing users in the BUILTIN\Users group to modify executable files in the Steam directory. The proof of concept involves replacing Steam.exe or related files with malicious code.

Classification
Writeup 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Valve Steam 3.42.16.13
Auth required
Prerequisites: Access to a system with Valve Steam installed · User account with membership in BUILTIN\Users group
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39888/

Scores

CVSS v3 4.8
EPSS 0.0078
EPSS Percentile 51.4%
Attack Vector LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Details

CWE
CWE-264
Status published
Products (1)
valvesoftware/steamos < 3.42.16.13
Published Jan 23, 2017
Tracked Since Feb 18, 2026