CVE-2024-31226 | Sunshine's unquoted executable path could lead to hijacked execution flow

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.

Published: 2024-05-16 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2024-31226 is rated Low Risk (23.9/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.22%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2024-31226

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.10% 0.22% +0.12%
2 2025-11-21 0.04% 0.10% +0.05%
3 2025-11-18 0.04%

Full EPSS history (7 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2024-31226

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
4.9 3.1 MEDIUM
CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H Click to expand
Attack vector (AV:P)
Hands-on access—USB, keyboard, opening the case—not something you do purely over the wire.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
0.1 4.7 [email protected]
2.9 3.1 LOW
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.
0.3 2.5 [email protected]

Weakness enumeration for CVE-2024-31226

Affected software / configurations for CVE-2024-31226

Vendor Product Version Raw CPE
lizardbyte sunshine >= 0.17.0, < 0.23.0 cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:*

References for CVE-2024-31226

cvelogic Threat Intelligence