Cyber Resilience

CVE-2023-24059

High

Published: 22 January 2023

Published
22 January 2023
Modified
02 April 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.0928 92.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24059 is a high-severity Code Injection (CWE-94) vulnerability in Rockstargames Grand Theft Auto V. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Grand Theft Auto V for PC contains a vulnerability that permits partial remote code execution or arbitrary file modification on affected systems. The flaw is tracked as CVE-2023-24059 with a CVSS 3.1 base score of 7.3 and is associated with CWE-94 code injection weaknesses. It affects the PC version of the game and was publicly disclosed on 22 January 2023.

Attackers can exploit the issue over the network without authentication or user interaction, enabling them to run limited attacker-controlled code or alter files on a victim machine. The vulnerability was observed being exploited in the wild during January 2023, consistent with the network attack vector and low complexity reflected in the CVSS metrics.

Rockstar Games has published support notices addressing the issue, and community discussions on platforms such as Twitter and Reddit highlight player reports of the exploit being used in GTA Online sessions. The associated EPSS score has remained near 0.093 without a pronounced increase after disclosure.

EU & UK References

Vulnerability details

Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rockstargames
grand theft auto v
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

References