CVE-2026-24817
Out-of-Bounds Write in praydog UEVR Lua Modules
Publication date: 2026-01-27
Last updated on: 2026-01-27
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praydog | uevr | to 1.05 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-24817 is an out-of-bounds write vulnerability in the UEVR project, specifically in the error handling function luaG_runerror(). This function was cloned from the Lua programming language but missed a critical security patch that fixed a similar issue in Lua. The vulnerability could cause improper memory handling when errors occur, potentially leading to exploitation. The issue was fixed by backporting the Lua security patch to UEVR, improving the function's robustness and preventing the out-of-bounds write. [1]
How can this vulnerability impact me? :
This vulnerability can lead to an out-of-bounds write, which may allow an attacker to corrupt memory, cause crashes, or execute arbitrary code. Since the vulnerability exists in the error handling function, it could be triggered during error conditions, potentially compromising the security and stability of applications using UEVR before version 1.05. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update UEVR to include the security patch applied in pull request #336, which fixes the luaG_runerror() function by backporting a critical Lua security patch. This patch was merged into the master branch on April 25, 2025. Avoid upgrading the entire Lua version to maintain compatibility with UE4SS as per the maintainer's guidance. [1]