CVE-2024-31226: Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacte...

Description

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.

Metrics

CVSS 3.1

2.9/10

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N

EPSS Probability

0.22%

12.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-428

Affected Software

Vendor	Product	Versions
Lizardbyte	Sunshine	>= 0.17.0, < 0.23.0

References

https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7aPatch
https://github.com/LizardByte/Sunshine/pull/2379Issue Tracking, Patch
https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfpVendor Advisory
https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7aPatch
https://github.com/LizardByte/Sunshine/pull/2379Issue Tracking, Patch
https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfpVendor Advisory

Timeline

Published: May 16, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-31226?

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.

How severe is CVE-2024-31226?

CVE-2024-31226 has a CVSS score of 2.9/10 (LOW severity). The EPSS model estimates a 0.22% probability of exploitation in the next 30 days.

How do I fix CVE-2024-31226?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.