CVE-2018-1000224

HIGH

Godot Engine < 2.1.5 and 3.0 < 3.0.6 - Denial of Service via Malformed Network Packet

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-1000224. PoCs published by zann1x.

Description

Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b.

Exploits (1)

References (3)

Core 3
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/godotengine/godot/issues/20558

Scores

CVSS v3 7.5
EPSS 0.0379
EPSS Percentile 88.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-681 CWE-908 CWE-131 CWE-909 CWE-190
Status published
Products (1)
godotengine/godot < 2.1.5
Published Aug 20, 2018
Tracked Since Feb 18, 2026