Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution

Disclosed: 2018-07-19 21:55:29 By chippy To valve

Critical

Vulnerability Details

A malformed .BSP can trigger an Access Violation on CS:GO that can lead to arbitrary code execution on a remote computer. I have attached a copy of the malformed .BSP which reliably triggers an Access Violation on CS:GO. ## Impact An attacker hosting a malicious server could compromise a remote client by having them download a custom map, triggering remote code execution on the victim's computer.

Actions

View on HackerOne

Report Stats

Report ID: 351014
State: Closed
Substate: resolved
Upvotes: 149

Malformed .BSP Access Violation in CS:GO can lead to Remote Code Execution

Vulnerability Details

Actions

Report Stats

Share this report