{"id":"CVE-2023-42799","summary":"Buffer overflow due to use of `strcpy` in `parseUrlAddrFromRtspUrlString`","details":"Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit 50c0a51b10ecc5b3415ea78c21d96d679e2288f9 due to unmitigated usage of unsafe C functions and improper bounds checking. A malicious game streaming server could exploit a buffer overflow vulnerability to crash a moonlight client, or achieve remote code execution (RCE) on the client (with insufficient exploit mitigations or if mitigations can be bypassed). The bug was addressed in commit 02b7742f4d19631024bd766bd2bb76715780004e.","aliases":["GHSA-r8cf-45f4-vf8m"],"modified":"2026-04-12T04:43:53.496146Z","published":"2023-12-14T16:47:00.932Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42799.json","cwe_ids":["CWE-120"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42799.json"},{"type":"ADVISORY","url":"https://github.com/moonlight-stream/moonlight-common-c/security/advisories/GHSA-r8cf-45f4-vf8m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42799"},{"type":"FIX","url":"https://github.com/moonlight-stream/moonlight-common-c/commit/02b7742f4d19631024bd766bd2bb76715780004e"},{"type":"FIX","url":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moonlight-stream/moonlight-common-c","events":[{"introduced":"0"},{"fixed":"02b7742f4d19631024bd766bd2bb76715780004e"},{"fixed":"50c0a51b10ecc5b3415ea78c21d96d679e2288f9"}]},{"type":"GIT","repo":"https://github.com/moonlight-stream/moonlight-ios","events":[{"introduced":"0"},{"last_affected":"83694f8141c8d2d339662469bc21b8ec360a4bea"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.6.0"}]}}],"versions":["v0.1.0-beta-1","v0.1.0-beta-6","v0.1.0-beta-7","v0.1.0-beta-8","v0.1.0-beta-9","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.9.0","v0.9.1","v0.9.2","v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.1.3","v1.1.4","v1.2.0","v1.4.0","v1.5.0","v2.6.0"],"database_specific":{"vanir_signatures_modified":"2026-04-12T04:43:53Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42799.json","vanir_signatures":[{"signature_type":"Line","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","digest":{"threshold":0.9,"line_hashes":["239063600269162047879560378402808421387","304286444082599011488360342623550406703","145133113321982208168002140704311958777","155242177420339314242737221015563163408"]},"target":{"file":"src/Connection.c"},"id":"CVE-2023-42799-53795dc4","signature_version":"v1","deprecated":false},{"signature_type":"Function","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","digest":{"function_hash":"216749568033953369102299049624660539519","length":8701},"target":{"file":"src/Connection.c","function":"LiStartConnection"},"id":"CVE-2023-42799-5645fa6f","signature_version":"v1","deprecated":false},{"signature_type":"Line","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/02b7742f4d19631024bd766bd2bb76715780004e","digest":{"threshold":0.9,"line_hashes":["145361895789606986803063108422463421466","262844706574178262470942437273317287810","335315002908883980926183930954541650765","111858403108666096687427999186670456577","64621012252733102827246247527299668842","7214922318177427030530602083214805699","160129813819765365589890795562805036716","215880915544235868590669370903861300404","91474062565402684808998372414990826714","138543671902459321204983567452339136617","261159981781517212457491899918478565432","31931399327393373915322617883466535404","273346810059171023971702172933797881379","306228892479065641695353242115928375396","171420901697017516682107275382990703968","261681353823014586316143578227949671267","276645249114011696947690199012800191313","279282245950179612367750279770693991391","36780015028460880001815195965426846229","186116110406463169190376949757368717304","339255101326689787282011825490948490334"]},"target":{"file":"src/RtspConnection.c"},"id":"CVE-2023-42799-603c0323","signature_version":"v1","deprecated":false},{"signature_type":"Function","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/02b7742f4d19631024bd766bd2bb76715780004e","digest":{"function_hash":"92148377635259456592917942543466520737","length":634},"target":{"file":"src/RtspConnection.c","function":"parseUrlAddrFromRtspUrlString"},"id":"CVE-2023-42799-6a549146","signature_version":"v1","deprecated":false},{"signature_type":"Function","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/02b7742f4d19631024bd766bd2bb76715780004e","digest":{"function_hash":"162668956479928146255684939537212398577","length":9584},"target":{"file":"src/RtspConnection.c","function":"performRtspHandshake"},"id":"CVE-2023-42799-6c5a7787","signature_version":"v1","deprecated":false},{"signature_type":"Function","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","digest":{"function_hash":"267856921275146833003163000135869781896","length":7653},"target":{"file":"src/RtspConnection.c","function":"performRtspHandshake"},"id":"CVE-2023-42799-71458f6b","signature_version":"v1","deprecated":false},{"signature_type":"Line","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","digest":{"threshold":0.9,"line_hashes":["138937151939253295641556458528757018166","150848591510164444176134670561320576510","141605363688541044481589462279622908555","258973438493162274745206873229966998034"]},"target":{"file":"src/Limelight-internal.h"},"id":"CVE-2023-42799-8128653e","signature_version":"v1","deprecated":false},{"signature_type":"Line","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","digest":{"threshold":0.9,"line_hashes":["176392410645551473757290304504647735423","92349308075097086908155920676915426031","285574399697035579572872130016877408878","228172342884939622137310657408087115136","194411812651883647785865283725786027313","280309381516405937967901095614330029941","21674010121518097526876545884449158568","299568207986546455845422377632948678955","38216044337138339532464182446100492146","40153430615842876630110272734696008915","96557381653404937290649113920685505916","318701121151641294879590171252344670612","872027798981297453299085672544947168","213813951512645245167203532416459142948","276674577814988335607934344724279729806","189112153309367876418389791865469626707","285046150449608262818265695827656232650","204975117690906461705256311130410726675","275403468661015685035481777759761985975"]},"target":{"file":"src/RtspConnection.c"},"id":"CVE-2023-42799-b071c360","signature_version":"v1","deprecated":false}],"unresolved_ranges":[{"events":[{"introduced":"2022-11-04"},{"fixed":"2023-10-06"}]},{"events":[{"introduced":"8.4.0"},{"last_affected":"8.5.0"}]},{"events":[{"introduced":"8.4.0"},{"last_affected":"8.5.0"}]},{"events":[{"introduced":"10.10"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.22"}]},{"events":[{"introduced":"1.12.0"},{"last_affected":"1.14.40"}]},{"events":[{"introduced":"1.5.4"},{"last_affected":"1.5.27"}]},{"events":[{"introduced":"0.13"},{"last_affected":"0.13.3"}]},{"events":[{"introduced":"0.9.2"},{"last_affected":"0.9.3"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}