Three critical vulnerabilities have been discovered in RenderDoc, a graphics debugger that supports multiple operating systems, including Windows, Linux, Android and Nintendo Switch.
The software holds a prominent position within the gaming development software arena, as it seamlessly integrates with leading gaming software engines such as Unity and Unreal.
As per the findings of cybersecurity specialists from Qualys Threat Research Unit (TRU), a trio of vulnerabilities has been identified, comprising one instance of privilege escalation and two heap-based buffer overflows.
The first of these flaws (tracked CVE-2023-33865) is a symlink vulnerability that can be exploited by a local attacker with no privilege requirement, potentially granting them the privileges of the RenderDoc user.
The second (tracked CVE-2023-33864) involves an integer underflow that leads to a heap-based buffer overflow. This vulnerability can be remotely exploited by an attacker to execute arbitrary code on the host machine.
The third vulnerability (tracked CVE-2023-33863) is an integer overflow that results in a heap-based buffer overflow. While Qualys said no exploitation attempts had been made so far, the flaw could be exploited by a remote attacker to run arbitrary code on the target machine.
“These three vulnerabilities serve as a sobering reminder of the constant vigilance required in our digital world,” explained Saeed Abbasi, manager of vulnerability research at Qualys.
The security expert also emphasized that comprehending these vulnerabilities serves as the initial stride in strengthening companies’ defenses.
“Qualys strongly advises security teams to apply patches for these vulnerabilities as soon as possible,” Abbasi concluded.
More information about the flaws is available on Qualys’s blog.