Valve fixes remote code execution leak in Steam after two years

Valve has fixed a remote code execution vulnerability in Steam, but similar vulnerabilities still exist. Security researchers recently revealed that there are several RCEs in Steam and Source games that haven’t been patched for years.

According to German hacker Florian, Valve has now fixed the vulnerability he found and is allowed to share the details about it. He hasn’t done that yet, but he writes on Twitter that a detailed technical report is on the way.

Last week, hacker group Secret Club highlighted the existence of various rce vulnerabilities in Steam and Source games. The bugs were reported a long time ago via bug bounty platform HackerOne, which Valve is affiliated with. However, Valve did not fix the errors and initially did not respond to messages from the security researchers. The details of the leaks have not been made public.

After repeatedly contacting Valve and HackerOne, Florian did receive compensation for his find, but two years after reporting the vulnerability, it had not yet been resolved. That is now the case. Valve itself has not publicly commented on the matter and it is not known whether the other leaks will also be closed in the short term.