{"id":"CVE-2023-42800","summary":"Buffer overflow due to use of `strcpy` in `performRtspHandshake`","details":"Moonlight-common-c contains the core GameStream client code shared between Moonlight clients. Moonlight-common-c is vulnerable to buffer overflow starting in commit 50c0a51b10ecc5b3415ea78c21d96d679e2288f9 due to unmitigated usage of unsafe C functions and improper bounds checking. A malicious game streaming server could exploit a buffer overflow vulnerability to crash a moonlight client, or achieve remote code execution (RCE) on the client (with insufficient exploit mitigations or if mitigations can be bypassed). The bug was addressed in commit 24750d4b748fefa03d09fcfd6d45056faca354e0.","aliases":["GHSA-4927-23jw-rq62"],"modified":"2026-04-12T04:43:53.735472Z","published":"2023-12-14T16:57:44.846Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-120"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42800.json"},"references":[{"type":"WEB","url":"https://github.com/moonlight-stream/moonlight-common-c/blob/2bb026c763fc18807d7e4a93f918054c488f84e1/src/RtspConnection.c#L796"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/42xxx/CVE-2023-42800.json"},{"type":"ADVISORY","url":"https://github.com/moonlight-stream/moonlight-common-c/security/advisories/GHSA-4927-23jw-rq62"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-42800"},{"type":"FIX","url":"https://github.com/moonlight-stream/moonlight-common-c/commit/24750d4b748fefa03d09fcfd6d45056faca354e0"},{"type":"FIX","url":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/moonlight-stream/moonlight-common-c","events":[{"introduced":"0"},{"fixed":"24750d4b748fefa03d09fcfd6d45056faca354e0"},{"fixed":"50c0a51b10ecc5b3415ea78c21d96d679e2288f9"}]},{"type":"GIT","repo":"https://github.com/moonlight-stream/moonlight-ios","events":[{"introduced":"0"},{"last_affected":"83694f8141c8d2d339662469bc21b8ec360a4bea"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.6.0"}]}}],"versions":["v0.1.0-beta-1","v0.1.0-beta-6","v0.1.0-beta-7","v0.1.0-beta-8","v0.1.0-beta-9","v0.2.0","v0.2.1","v0.2.2","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.9.0","v0.9.1","v0.9.2","v1.0.0","v1.0.1","v1.0.2","v1.0.3","v1.0.4","v1.1.3","v1.1.4","v1.2.0","v1.4.0","v1.5.0","v2.6.0"],"database_specific":{"vanir_signatures_modified":"2026-04-12T04:43:53Z","vanir_signatures":[{"id":"CVE-2023-42800-53795dc4","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"src/Connection.c"},"digest":{"threshold":0.9,"line_hashes":["239063600269162047879560378402808421387","304286444082599011488360342623550406703","145133113321982208168002140704311958777","155242177420339314242737221015563163408"]}},{"id":"CVE-2023-42800-5645fa6f","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"file":"src/Connection.c","function":"LiStartConnection"},"digest":{"length":8701,"function_hash":"216749568033953369102299049624660539519"}},{"id":"CVE-2023-42800-6cbf9cf6","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/24750d4b748fefa03d09fcfd6d45056faca354e0","signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"src/RtspConnection.c"},"digest":{"threshold":0.9,"line_hashes":["148394692097508356767351951632609024813","132042617081469502642801404274178369602","286856859093069006104965218113866160685","81405481424843852400990073803804137985"]}},{"id":"CVE-2023-42800-71458f6b","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"file":"src/RtspConnection.c","function":"performRtspHandshake"},"digest":{"length":7653,"function_hash":"267856921275146833003163000135869781896"}},{"id":"CVE-2023-42800-7be46cfd","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/24750d4b748fefa03d09fcfd6d45056faca354e0","signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"file":"src/RtspConnection.c","function":"performRtspHandshake"},"digest":{"length":9659,"function_hash":"296101530799337265766383468572227426661"}},{"id":"CVE-2023-42800-8128653e","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"src/Limelight-internal.h"},"digest":{"threshold":0.9,"line_hashes":["138937151939253295641556458528757018166","150848591510164444176134670561320576510","141605363688541044481589462279622908555","258973438493162274745206873229966998034"]}},{"id":"CVE-2023-42800-b071c360","source":"https://github.com/moonlight-stream/moonlight-common-c/commit/50c0a51b10ecc5b3415ea78c21d96d679e2288f9","signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"src/RtspConnection.c"},"digest":{"threshold":0.9,"line_hashes":["176392410645551473757290304504647735423","92349308075097086908155920676915426031","285574399697035579572872130016877408878","228172342884939622137310657408087115136","194411812651883647785865283725786027313","280309381516405937967901095614330029941","21674010121518097526876545884449158568","299568207986546455845422377632948678955","38216044337138339532464182446100492146","40153430615842876630110272734696008915","96557381653404937290649113920685505916","318701121151641294879590171252344670612","872027798981297453299085672544947168","213813951512645245167203532416459142948","276674577814988335607934344724279729806","189112153309367876418389791865469626707","285046150449608262818265695827656232650","204975117690906461705256311130410726675","275403468661015685035481777759761985975"]}}],"unresolved_ranges":[{"events":[{"introduced":"2022-11-04"},{"fixed":"2023-10-06"}]},{"events":[{"introduced":"8.4.0"},{"last_affected":"8.5.0"}]},{"events":[{"introduced":"8.4.0"},{"last_affected":"8.5.0"}]},{"events":[{"introduced":"10.10"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.22"}]},{"events":[{"introduced":"1.12.0"},{"last_affected":"1.14.40"}]},{"events":[{"introduced":"1.5.4"},{"last_affected":"1.5.27"}]},{"events":[{"introduced":"0.13"},{"last_affected":"0.13.3"}]},{"events":[{"introduced":"0.9.2"},{"last_affected":"0.9.3"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-42800.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}