CVE-2026-24820
📋 TL;DR
An out-of-bounds read vulnerability in WickedEngine's LUA modules (specifically ldebug.C) allows attackers to read memory beyond allocated buffers. This affects applications using WickedEngine's LUA scripting capabilities before version 0.71.705. Game developers and applications embedding WickedEngine are primarily affected.
💻 Affected Systems
- WickedEngine
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Information disclosure leading to memory content leakage, potential ASLR bypass, or application crash enabling denial of service.
Likely Case
Application instability, crashes, or limited information disclosure depending on memory layout and attacker control.
If Mitigated
Controlled crashes with minimal data exposure if proper memory protections and sandboxing are implemented.
🎯 Exploit Status
Exploitation requires ability to supply malicious LUA scripts to the vulnerable component. No public exploit code is currently known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.71.705 or later
Vendor Advisory: https://github.com/turanszkij/WickedEngine/pull/1054
Restart Required: Yes
Instructions:
1. Update WickedEngine to version 0.71.705 or later. 2. Rebuild any applications using WickedEngine. 3. Redeploy updated applications.
🔧 Temporary Workarounds
Disable LUA Scripting
allDisable WickedEngine's LUA modules if not required for functionality
Modify application configuration to disable LUA scripting support
🧯 If You Can't Patch
- Implement strict input validation for LUA scripts
- Run WickedEngine in sandboxed/isolated environment
🔍 How to Verify
Check if Vulnerable:
Check WickedEngine version in application dependencies or build configurationCheck Version:
Check WickedEngine version in project configuration files or build logsVerify Fix Applied:
Verify WickedEngine version is 0.71.705 or later and application has been rebuilt📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violations
- Unexpected LUA script execution errors
Network Indicators:
- Unusual LUA script uploads or transfers if applicable
SIEM Query:
Search for application crashes with memory access violation codes related to WickedEngine processes