{"id":"RUSTSEC-2026-0121","summary":"Denial of service in Steamworks game clients/servers using P2P authentication","details":"Processing the raw `ValidateAuthTicketResponse_t` callback data panics when the `m_eAuthSessionResponse` field is `k_EAuthSessionResponseAuthTicketNetworkIdentityFailure`. This can lead to denial of service in game clients and servers using the `begin_authentication_session` API to authenticate players if a malicious game client sends an authentication ticket with a network identity that does not match that of the verifier.","aliases":["GHSA-g588-cjg3-6g78"],"modified":"2026-05-12T05:04:00Z","published":"2026-05-05T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/steamworks"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2026-0121.html"},{"type":"REPORT","url":"https://github.com/Noxime/steamworks-rs/issues/321"}],"affected":[{"package":{"name":"steamworks","ecosystem":"crates.io","purl":"pkg:cargo/steamworks"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-0"},{"fixed":"0.13.1"}]}],"ecosystem_specific":{"affects":{"os":[],"functions":["steamworks::Client::process_callbacks","steamworks::Client::register_callback","steamworks::Server::begin_authentication_session","steamworks::User::begin_authentication_session","steamworks::ValidateAuthTicketResponse::from_raw"],"arch":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2026-0121.json","cvss":null,"informational":null,"categories":["denial-of-service"]}}],"schema_version":"1.7.5"}