Cyber Resilience

CVE-2022-24126

CriticalPublic PoC

Published: 20 March 2022

Published
20 March 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1451 94.6th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24126 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Fromsoftware Dark Souls Iii. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A buffer overflow vulnerability exists in the NRSessionSearchResult parser within Bandai Namco FromSoftware Dark Souls III versions through March 19, 2022. The flaw, tracked as CVE-2022-24126 and assigned CWE-787, carries a CVSS v3.1 score of 9.8 and stems from improper bounds checking during processing of session search results.

Remote attackers with no authentication or user interaction required can exploit the issue over the network by interacting with the game's matchmaking servers, achieving arbitrary code execution on affected clients. This represents a distinct flaw from the earlier CVE-2021-34170 in the same title.

Public references point to the vendor site at fromsoftware.jp and a GitHub repository containing related technical details at github.com/tremwil/ds3-nrssr-rce, though no explicit patch or mitigation guidance is detailed in the available references. The associated EPSS score has remained flat at 0.1451 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

A buffer overflow in the NRSessionSearchResult parser in Bandai Namco FromSoftware Dark Souls III through 2022-03-19 allows remote attackers to execute arbitrary code via matchmaking servers, a different vulnerability than CVE-2021-34170.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fromsoftware
dark souls iii
≤ 2022-03-19

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References