CVE-2019-15316
HIGHValvesoftware Steam Client - Incorrect Permission Assignment
Title source: ruleDescription
Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://amonitoring.ru/article/onemore_steam_eop_0day/
Third Party Advisory x_refsource_misc
https://habr.com/ru/company/pm/blog/464367/
Exploit, Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=I93aH86BUaE
Exploit, Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=ZCHrjP0cMew
Scores
CVSS v3
7.0
EPSS
0.0005
EPSS Percentile
15.7%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-367
CWE-732
Status
published
Products (1)
valvesoftware/steam_client
< 2019-08-20
Published
Aug 21, 2019
Tracked Since
Feb 18, 2026