CVE-2026-24818 – An out-of-bounds read vulnerability in praydog ... (How to Fix)

📋 TL;DR

An out-of-bounds read vulnerability in praydog UEVR's Lua parser component could allow attackers to read sensitive memory contents. This affects UEVR users running versions before 1.05 who process untrusted Lua scripts.

💻 Affected Systems

Products:

praydog UEVR (Universal VR Mod)

Versions: All versions before 1.05

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the Lua parser component used by UEVR

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure leading to memory leak of sensitive data, potential ASLR bypass, or crash causing denial of service

🟠

Likely Case

Application crash or instability when processing malformed Lua scripts

🟢

If Mitigated

Limited impact if only trusted Lua scripts are processed

🌐 Internet-Facing: LOW - UEVR is typically not internet-facing software

🏢 Internal Only: MEDIUM - Risk exists if processing untrusted Lua scripts locally

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious Lua scripts that trigger the out-of-bounds read

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.05 and later

Vendor Advisory: https://github.com/praydog/UEVR/pull/337

Restart Required: Yes

Instructions:

1. Download UEVR version 1.05 or later from official sources
2. Replace existing UEVR installation with updated version
3. Restart any running UEVR processes

🔧 Temporary Workarounds

Restrict Lua script sources

all

Only load Lua scripts from trusted sources

🧯 If You Can't Patch

Disable Lua script processing if not required
Isolate UEVR in sandboxed environment

🔍 How to Verify

Check if Vulnerable:

Check UEVR version - if below 1.05, system is vulnerable

Check Version:

Check UEVR interface or documentation for version information

Verify Fix Applied:

Confirm UEVR version is 1.05 or higher

📡 Detection & Monitoring

Log Indicators:

Application crashes with memory access violations
Unexpected Lua parsing errors

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

Application logs showing UEVR crashes or Lua parsing failures

📊 Metadata

CVE ID: CVE-2026-24818

CVSS v3 Score: N/A (Unknown)

CWE: CWE-125

EPSS Score: 0.06% exploit probability (17.2th percentile)

Published: January 27, 2026

Last Updated: January 27, 2026

🔗 References

https://github.com/praydog/UEVR/pull/337

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24818, you might also want to check these: