CVE-2022-50918

HIGH

VIVE Runtime Service 1.0.0.4 - Code Injection

Title source: llm

Description

VIVE Runtime Service 1.0.0.4 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific system directories to gain LocalSystem access during service startup.

Exploits (1)

exploitdb WRITEUP

by Faisal Alasmari · textlocalwindows

https://www.exploit-db.com/exploits/50824

View Code ZIP pw:eip

References (4)

[Various Sources] https://developer.vive.com/resources/downloads/

[Various Sources] https://www.vive.com/

[Third Party Advisory] https://www.vulncheck.com/advisories/vive-runtime-service-viveagentservice-unquoted-service-path

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/50824

Scores

CVSS v3 8.4

EPSS 0.0002

EPSS Percentile 4.8%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-428

Status published

Products (1)

VIVE/VIVE Runtime Service 1.0.0.4

Published Jan 13, 2026

Tracked Since Feb 18, 2026