{"id":"CVE-2018-1000224","details":"Godot Engine version All versions prior to 2.1.5, all 3.0 versions prior to 3.0.6. contains a Signed/unsigned comparison, wrong buffer size chackes, integer overflow, missing padding initialization vulnerability in (De)Serialization functions (core/io/marshalls.cpp) that can result in DoS (packet of death), possible leak of uninitialized memory. This attack appear to be exploitable via A malformed packet is received over the network by a Godot application that uses built-in serialization (e.g. game server, or game client). Could be triggered by multiplayer opponent. This vulnerability appears to have been fixed in 2.1.5, 3.0.6, master branch after commit feaf03421dda0213382b51aff07bd5a96b29487b.","modified":"2026-04-10T04:03:35.417906Z","published":"2018-08-20T20:29:01.597Z","references":[{"type":"ADVISORY","url":"https://godotengine.org/article/maintenance-release-godot-2-1-5"},{"type":"ADVISORY","url":"https://godotengine.org/article/maintenance-release-godot-3-0-6"},{"type":"FIX","url":"https://github.com/godotengine/godot/issues/20558"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/godotengine/godot","events":[{"introduced":"0"},{"fixed":"38ed4b9a8cdea0860eb616ef23306d2ce2d9c86b"},{"introduced":"0"},{"fixed":"8ac39d886307d76c286e804e027fc39f6b5aaac6"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.1.5"},{"introduced":"3.0.0"},{"fixed":"3.0.6"}]}}],"versions":["2.0-stable","2.1-stable","2.1.1-stable","2.1.2-stable","2.1.3-stable","2.1.4-stable","3.0-stable","3.0.1-stable","3.0.2-stable","3.0.3-stable","3.0.4-stable","3.0.5-stable"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000224.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}