Valve Software
Products
19- 8 CVEs
- 7 CVEs
- 6 CVEs
- 5 CVEs
- 5 CVEs
- 4 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
40| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-17878 | Cri | 0.64 | 9.8 | 0.02 | Dec 27, 2017 | An issue was discovered in Valve Steam Link build 643. Root passwords longer than 8 characters are truncated because of the default use of DES (aka the CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="des" setting). | ||
| CVE-2017-17877 | Cri | 0.64 | 9.8 | 0.04 | Dec 27, 2017 | An issue was discovered in Valve Steam Link build 643. When the SSH daemon is enabled for local development, the device is publicly available via IPv6 TCP port 22 over the internet (with stateless address autoconfiguration) by default, which makes it easier for remote attackers… | ||
| CVE-2017-20205 | Cri | 0.60 | — | 0.01 | Oct 15, 2025 | Valve's Source SDK (source-sdk-2013)'s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function `nexttoken` copies characters from an input string into a fixed-size stack buffer without performing bounds checks. When `ParseKeyValue`… | ||
| CVE-2025-27998 | Hig | 0.55 | 8.4 | 0.00 | May 21, 2025 | An issue in Valvesoftware Steam Client Steam Client 1738026274 allows attackers to escalate privileges via a crafted executable or DLL. | ||
| CVE-2016-5237 | Med | 0.34 | 4.8 | 0.01 | Jan 23, 2017 | Valve Steam 3.42.16.13 uses weak permissions for the files in the Steam program directory, which allows local users to modify the files and possibly gain privileges as demonstrated by a Trojan horse Steam.exe file. | ||
| CVE-2019-15943 | 0.05 | — | 0.09 | Sep 19, 2019 | vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a memset call. | |||
| CVE-2020-7949 | 0.04 | — | 0.04 | Jan 27, 2020 | schemasystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a GetValue call. | |||
| CVE-2008-3286 | 0.04 | — | 0.09 | Jul 24, 2008 | SWAT 4 1.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via a (1) VERIFYCONTENT or (2) GAMECONFIG command sent to the server before user session initialization, which triggers a NULL pointer dereference; or (3) a GAMESPYRESPONSE command… | |||
| CVE-2015-7985 | 0.03 | — | 0.01 | Nov 24, 2015 | Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file. | |||
| CVE-2008-7203 | 0.03 | — | 0.03 | Sep 11, 2009 | Valve Software Half-Life Counter-Strike 1.6 allows remote attackers to cause a denial of service (crash) via multiple crafted login packets. | |||
| CVE-2006-0734 | 0.03 | — | 0.03 | Feb 16, 2006 | The SV_CheckForDuplicateNames function in Valve Software Half-Life CSTRIKE Dedicated Server 1.6 and earlier allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) via a backslash character at the end of a connection string to UDP port… | |||
| CVE-2003-1325 | 0.03 | — | 0.03 | Dec 31, 2003 | The SV_CheckForDuplicateNames function in Valve Software Half-Life CSTRIKE Dedicated Server 1.1.1.0 and earlier allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) via a certain connection string to UDP port 27015 that represents… | |||
| CVE-2002-0964 | 0.03 | — | 0.03 | Oct 4, 2002 | Half-Life Server 1.1.1.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via multiple responses to the initial challenge with different cd_key values, which reaches the player limit and prevents other players from connecting until the… | |||
| CVE-2021-30481 | 0.01 | — | 0.04 | Apr 10, 2021 | Valve Steam before 2021-04-17, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click. | |||
| CVE-2023-38312 | 0.00 | — | 0.01 | Oct 15, 2023 | A directory traversal vulnerability in Valve Counter-Strike 8684 allows a client (with remote control access to a game server) to read arbitrary files from the underlying server via the motdfile console variable. | |||
| CVE-2023-30382 | 0.00 | — | 0.00 | May 23, 2023 | A buffer overflow in the component hl.exe of Valve Half-Life up to 5433873 allows attackers to execute arbitrary code and escalate privileges by supplying crafted parameters. | |||
| CVE-2020-6017 | 0.00 | — | 0.03 | Dec 3, 2020 | Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and… | |||
| CVE-2020-6018 | 0.00 | — | 0.03 | Dec 2, 2020 | Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long encrypted messages in function AES_GCM_DecryptContext::Decrypt() when compiled using libsodium, leading to a Stack-Based Buffer Overflow and resulting in a memory corruption and possibly even a… | |||
| CVE-2020-6016 | 0.00 | — | 0.06 | Nov 18, 2020 | Valve's Game Networking Sockets prior to version v1.2.0 improperly handles unreliable segments with negative offsets in function SNP_ReceiveUnreliableSegment(), leading to a Heap-Based Buffer Underflow and a free() of memory not from the heap, resulting in a memory corruption… | |||
| CVE-2020-6019 | 0.00 | — | 0.03 | Nov 13, 2020 | Valve's Game Networking Sockets prior to version v1.2.0 improperly handles inlined statistics messages in function CConnectionTransportUDPBase::Received_Data(), leading to an exception thrown from libprotobuf and resulting in a crash. |
- risk 0.64cvss 9.8epss 0.02
An issue was discovered in Valve Steam Link build 643. Root passwords longer than 8 characters are truncated because of the default use of DES (aka the CONFIG_FEATURE_DEFAULT_PASSWD_ALGO="des" setting).
- risk 0.64cvss 9.8epss 0.04
An issue was discovered in Valve Steam Link build 643. When the SSH daemon is enabled for local development, the device is publicly available via IPv6 TCP port 22 over the internet (with stateless address autoconfiguration) by default, which makes it easier for remote attackers…
- risk 0.60cvss —epss 0.01
Valve's Source SDK (source-sdk-2013)'s ragdoll model parsing logic contains a stack-based buffer overflow vulnerability.The tokenizer function `nexttoken` copies characters from an input string into a fixed-size stack buffer without performing bounds checks. When `ParseKeyValue`…
- risk 0.55cvss 8.4epss 0.00
An issue in Valvesoftware Steam Client Steam Client 1738026274 allows attackers to escalate privileges via a crafted executable or DLL.
- risk 0.34cvss 4.8epss 0.01
Valve Steam 3.42.16.13 uses weak permissions for the files in the Steam program directory, which allows local users to modify the files and possibly gain privileges as demonstrated by a Trojan horse Steam.exe file.
- CVE-2019-15943Sep 19, 2019risk 0.05cvss —epss 0.09
vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a memset call.
- CVE-2020-7949Jan 27, 2020risk 0.04cvss —epss 0.04
schemasystem.dll in Valve Dota 2 before 7.23f allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a GetValue call.
- CVE-2008-3286Jul 24, 2008risk 0.04cvss —epss 0.09
SWAT 4 1.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via a (1) VERIFYCONTENT or (2) GAMECONFIG command sent to the server before user session initialization, which triggers a NULL pointer dereference; or (3) a GAMESPYRESPONSE command…
- CVE-2015-7985Nov 24, 2015risk 0.03cvss —epss 0.01
Valve Steam 2.10.91.91 uses weak permissions (Users: read and write) for the Install folder, which allows local users to gain privileges via a Trojan horse steam.exe file.
- CVE-2008-7203Sep 11, 2009risk 0.03cvss —epss 0.03
Valve Software Half-Life Counter-Strike 1.6 allows remote attackers to cause a denial of service (crash) via multiple crafted login packets.
- CVE-2006-0734Feb 16, 2006risk 0.03cvss —epss 0.03
The SV_CheckForDuplicateNames function in Valve Software Half-Life CSTRIKE Dedicated Server 1.6 and earlier allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) via a backslash character at the end of a connection string to UDP port…
- CVE-2003-1325Dec 31, 2003risk 0.03cvss —epss 0.03
The SV_CheckForDuplicateNames function in Valve Software Half-Life CSTRIKE Dedicated Server 1.1.1.0 and earlier allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) via a certain connection string to UDP port 27015 that represents…
- CVE-2002-0964Oct 4, 2002risk 0.03cvss —epss 0.03
Half-Life Server 1.1.1.0 and earlier allows remote attackers to cause a denial of service (resource exhaustion) via multiple responses to the initial challenge with different cd_key values, which reaches the player limit and prevents other players from connecting until the…
- CVE-2021-30481Apr 10, 2021risk 0.01cvss —epss 0.04
Valve Steam before 2021-04-17, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
- CVE-2023-38312Oct 15, 2023risk 0.00cvss —epss 0.01
A directory traversal vulnerability in Valve Counter-Strike 8684 allows a client (with remote control access to a game server) to read arbitrary files from the underlying server via the motdfile console variable.
- CVE-2023-30382May 23, 2023risk 0.00cvss —epss 0.00
A buffer overflow in the component hl.exe of Valve Half-Life up to 5433873 allows attackers to execute arbitrary code and escalate privileges by supplying crafted parameters.
- CVE-2020-6017Dec 3, 2020risk 0.00cvss —epss 0.03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and…
- CVE-2020-6018Dec 2, 2020risk 0.00cvss —epss 0.03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long encrypted messages in function AES_GCM_DecryptContext::Decrypt() when compiled using libsodium, leading to a Stack-Based Buffer Overflow and resulting in a memory corruption and possibly even a…
- CVE-2020-6016Nov 18, 2020risk 0.00cvss —epss 0.06
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles unreliable segments with negative offsets in function SNP_ReceiveUnreliableSegment(), leading to a Heap-Based Buffer Underflow and a free() of memory not from the heap, resulting in a memory corruption…
- CVE-2020-6019Nov 13, 2020risk 0.00cvss —epss 0.03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles inlined statistics messages in function CConnectionTransportUDPBase::Received_Data(), leading to an exception thrown from libprotobuf and resulting in a crash.