Executive Summary

CVE-2026-24817 is an out-of-bounds write vulnerability in the UEVR project, specifically in the error handling function luaG_runerror(). This function was cloned from the Lua programming language but missed a critical security patch that fixed a similar issue in Lua. The vulnerability could cause improper memory handling when errors occur, potentially leading to exploitation. The issue was fixed by backporting the Lua security patch to UEVR, improving the function's robustness and preventing the out-of-bounds write. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to an out-of-bounds write, which may allow an attacker to corrupt memory, cause crashes, or execute arbitrary code. Since the vulnerability exists in the error handling function, it could be triggered during error conditions, potentially compromising the security and stability of applications using UEVR before version 1.05. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update UEVR to include the security patch applied in pull request #336, which fixes the luaG_runerror() function by backporting a critical Lua security patch. This patch was merged into the master branch on April 25, 2025. Avoid upgrading the entire Lua version to maintain compatibility with UE4SS as per the maintainer's guidance. [1]

Useful 0 Not Useful 0