CVE-2026-24817 – This CVE describes an out-of-bounds write vulne... (How to Fix)

Q: What is the severity of CVE-2026-24817?

CVE-2026-24817 has a CVSS score of N/A (Unknown). This CVE describes an out-of-bounds write vulnerability in praydog UEVR's Lua module dependencies (ldebug.C and lvm.C). Attackers could exploit this to execute arbitrary code or crash the application. Users running UEVR versions before 1.05 are affected.

📋 TL;DR

This CVE describes an out-of-bounds write vulnerability in praydog UEVR's Lua module dependencies (ldebug.C and lvm.C). Attackers could exploit this to execute arbitrary code or crash the application. Users running UEVR versions before 1.05 are affected.

💻 Affected Systems

Products:

praydog UEVR

Versions: All versions before 1.05

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the Lua dependency modules used by UEVR

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited code execution within the UEVR process context.

🟢

If Mitigated

Application crash with no further impact if proper sandboxing or exploit mitigations are in place.

🌐 Internet-Facing: LOW (UEVR is typically not an internet-facing service)

🏢 Internal Only: MEDIUM (requires user interaction or local access to exploit)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires triggering the out-of-bounds write through UEVR's Lua interface

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.05

Vendor Advisory: https://github.com/praydog/UEVR/pull/336

Restart Required: Yes

Instructions:

1. Download UEVR version 1.05 or later from official sources
2. Uninstall previous version
3. Install the updated version
4. Restart system if prompted

🔧 Temporary Workarounds

Disable Lua scripting

all

Prevent Lua script execution in UEVR if feature is not required

🧯 If You Can't Patch

Discontinue use of UEVR until patched
Run UEVR in a sandboxed/isolated environment

🔍 How to Verify

Check if Vulnerable:

Check UEVR version in application settings or about dialog

Check Version:

Not applicable (check via GUI)

Verify Fix Applied:

Confirm version is 1.05 or higher in application settings

📡 Detection & Monitoring

Log Indicators:

UEVR crash logs
Application error reports mentioning ldebug.C or lvm.C

Network Indicators:

None (local vulnerability)

SIEM Query:

Application:UEVR AND (EventID:1000 OR EventID:1001) AND ProcessCrash

📊 Metadata

CVE ID: CVE-2026-24817

CVSS v3 Score: N/A (Unknown)

CWE: CWE-787

EPSS Score: 0.06% exploit probability (17.2th percentile)

Published: January 27, 2026

Last Updated: January 27, 2026

🔗 References

https://github.com/praydog/UEVR/pull/336

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24817, you might also want to check these: