Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the user's computer. This attack vector isn't exploitable unless the user has manually loosened ACLs on the system drive. If the user's system locale is not English, then the name of the executable will likely vary. Version 0.23.0 contains a patch for the issue. Some workarounds are available. One may identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate. Alternatively, ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory `C:`. Require that all executables be placed in write-protected directories.
Conclusion & alert: CVE-2024-31226 is rated Low Risk (23.9/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.22%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.10% | 0.22% | +0.12% |
| 2 | 2025-11-21 | 0.04% | 0.10% | +0.05% |
| 3 | 2025-11-18 | — | 0.04% | — |
Full EPSS history (7 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.9 | 3.1 | MEDIUM |
|
0.1 | 4.7 | [email protected] |
| 2.9 | 3.1 | LOW |
|
0.3 | 2.5 | [email protected] |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| lizardbyte | sunshine | >= 0.17.0, < 0.23.0 | cpe:2.3:a:lizardbyte:sunshine:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/LizardByte/Sunshine/commit/93e622342c4f3e9b34f5f265039b6775b8e33a7a | Patch |
| https://github.com/LizardByte/Sunshine/pull/2379 | Issue Tracking Patch |
| https://github.com/LizardByte/Sunshine/security/advisories/GHSA-r3rw-mx4q-7vfp | Vendor Advisory |