HOMEVULNERABILITIESCVE-2023-42801
HIGH

CVE-2023-42801

CWE-120Published: December 14, 2023· Updated: Jun 17, 2026

7.6
CVSS v3.1

Official Description

Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit f57bd745b4cbed577ea654fad4701bea4d38b44c. A malicious game streaming server could exploit a buffer overflow vulnerability to crash a moonlight client. Achieving RCE is possible but unlikely, due to stack canaries in use by modern compiler toolchains. The published binaries for official clients Qt, Android, iOS/tvOS, and Embedded are built with stack canaries, but some unofficial clients may not use stack canaries. This vulnerability takes place after the pairing process, so it requires the client to be tricked into pairing to a malicious host. It is not possible to perform using a man-in-the-middle due to public key pinning that takes place during the pairing process. The bug was addressed in commit b2497a3918a6d79808d9fd0c04734786e70d5954.

NVD Source

Technical Analysis

CVE-2023-42801 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation does not require any privileges, though user interaction (Required) is needed, which slightly reduces the risk of mass automated attacks.

A successful exploit results in availability disruption (denial of service), with a CVSS base score of 7.6.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityLow
IntegrityLow
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H

Affected Vendors & Products

moonlight-stream8 product(s)
moonlight-common-cmoonlightmoonlight embeddedmoonlight xboxmoonlight tvmoonlight switchmoonlight vitamoonlight qt\/pc
Source: NVD CPE · 8 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

All References (8)

Quick Facts

CVE IDCVE-2023-42801
CVSS Score7.6 / 10
SeverityHIGH
WeaknessCWE-120
CISA KEVNo
Affected1 vendor(s)
PublishedDec 14, 2023

Related CVEs (CWE-120)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2023-42801 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.