CVE-2022-31262

HIGH

GOG Galaxy 2.0.46 - Privilege Escalation

Title source: llm

Description

An exploitable local privilege escalation vulnerability exists in GOG Galaxy 2.0.46. Due to insufficient folder permissions, an attacker can hijack the %ProgramData%\GOG.com folder structure and change the GalaxyCommunication service executable to a malicious file, resulting in code execution as SYSTEM.

Exploits (1)

nomisec WORKING POC 5 stars

by secure-77 · poc

https://github.com/secure-77/CVE-2022-31262

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://secure77.de/category/subjects/researches/

[Exploit, Third Party Advisory] https://secure77.de/gog-galaxy-cve-2022-31262/

[Exploit, Third Party Advisory] https://github.com/secure-77/CVE-2022-31262

[Exploit, Third Party Advisory] https://www.youtube.com/watch?v=Bgdbx5TJShI

Scores

CVSS v3 7.8

EPSS 0.0098

EPSS Percentile 76.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-281

Status published

Products (1)

gog/galaxy 2.0.46 - 2.0.51

Published Aug 17, 2022

Tracked Since Feb 18, 2026