If you have any questions, join us in the CVE Discussions forums and use the CVE Q&A Topic.
Frequently Asked Questions
1. How do I assess the severity or urgency of this?
- There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. The CVE security rating is “High”, and we strongly recommend updating your games and apps as soon as you can.
2. What is a CVE?
- A CVE (Common Vulnerabilities and Exposure) is an industry standard process for disclosing security vulnerabilities based on things like ease of attack or potential damage. The severity ratings range from Low, Medium, High to Critical. For a “High” rating, it’s recommended that you patch your games or apps promptly.
3. Where can I find more detail so that I can assess the severity?
- For comprehensive technical details, please consult our patching tool and remediation guide and Security Advisory.
4. Are there protections in place for games on Steam?
- We have spoken with Valve and they will issue additional protections for the Steam client. For Windows, Microsoft Defender has been updated and will detect and block the vulnerability.
5. Are iOS (including visionOS and tvOS), Xbox, Nintendo Switch, Sony PlayStation, UWP, Quest, and WebGL vulnerable?
- There have been no findings to suggest that the vulnerability is exploitable on these platforms. For the best protection, we always recommend you are on the latest patch release of the version of Unity you are using.
6. What do you recommend if my project targets multiple platforms, some of which are unaffected?
- Updated versions of Unity can be used even for platforms that are not vulnerable. However, if you cannot upgrade Unity versions on unaffected platforms, we recommend integrating the patching tool into your build process as a post build step for vulnerable platforms.
7. Are you working with any other anti-virus protection providers?
- In addition to Microsoft Defender, we are working with Crowdstrike, Fortinet, Sophos, BitDefender, and other EDR (Endpoint Detection and Response) vendors for additional protections.
8. How was the vulnerability discovered?
- The vulnerability was initially discovered by a third party security researcher.
9. What is the exposure or risk to the end user if the vulnerability is exploited?
- To our knowledge, there is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. For comprehensive technical details, please consult our patching tool and remediation guide and Security Advisory.
10. What action did Unity take once it learned about the vulnerability?
- We proactively provided fixes that address the vulnerability and they are already available to all developers. In addition, our platform partners have taken further steps to secure their platforms.
11. What if I choose not to do anything?
- If a developer chooses not to take any action, their application or game built on 2017.1 or later may remain vulnerable and could pose a risk to consumers or device functionality, especially if the issue is later exploited.
- Google, Meta and Microsoft have taken further steps to secure their platforms but we still strongly recommend developers patch or recompile their games and applications as a precaution.
- We also recommend that consumers update their devices and applications with the latest versions of software, turn on auto-updates, avoid suspicious downloads, and follow security best practices.
12. What is the process for reporting future vulnerabilities to Unity?
- We have a Responsible Disclosure policy in place as a part of our ongoing collaboration with internal and external security researchers and also have a Bug Bounty program. For more information on our Bug Bounty program, contact security@unity3d.com or visit our Bug Bounty program on Bugcrowd.
13. What measures are being taken to help prevent similar vulnerabilities in the future?
- We are continually evolving our comprehensive Secure Software Development Lifecycle (SSDLC) program as we identify risks or vulnerabilities, and leveraging opportunities to further improve the security of our products, including by updating our tooling and processes in response to new discoveries.
- To help further improve our ability to identify and address similar vulnerabilities, we’re also enhancing our tooling strategy with new scanning tools, implementing updated guidelines, and adding additional steps to our testing process, including a comprehensive penetration testing process.
14. Will my application be pulled from the store if I don’t update?
- You should contact the app store in question to understand their policy for removing applications with known security vulnerabilities.
15. What should I tell my customers?
- There is no evidence of any exploitation of the vulnerability, nor has there been any impact on end-users.
- We have proactively provided fixes that address the vulnerability and they are already available to all developers. In addition, our platform partners have taken further steps to secure their platforms and protect end-users.
- You can encourage your customers to update their devices and applications with the latest versions of software, turn on auto-updates, avoid suspicious downloads, and follow security best practices.
16. What does the patching tool do to my game?
- On Android, the patching tool modifies the libunity.so file in a way that prevents the vulnerability from being exploited.
- On Windows, the patching tool downloads a patched UnityPlayer.dll for your game’s Unity runtime version and replaces the original one.
- On macOS, the patching tool downloads a patched UnityPlayer.dylib for your game’s Unity runtime version and replaces the original one.
- Please note that if an app uses tamper-proofing techniques, the patch won’t work. The only way to apply the fix safely and successfully is to rebuild the app from source.
17. Is the fix a breaking change in any way?
- The fix is unlikely to break most games. For more details, please reference the Remediation Guide above (link).
18. My game targets a version(s) of the Android SDK and Google Play does not allow app updates to be submitted to the Play Store. If I resubmit, will my update be accepted?
- We have worked with Google to allow a temporary exception to submission rules specifically for the Android SDK for applications that are already live and patched using our provided patching tool. This exception does not apply to other Google SDKs that may have their own version requirements and it may be necessary to update those SDKs before resubmission. Reach out to Google if you need further information or exceptions for your particular applications
19. Why did you only release an update for Editor versions 2019.1 and later, when the vulnerability impacts back to 2017.1?
- The number of applications built with the mono runtime on Unity 2017 or 2018 that are still in circulation is quite small and didn’t justify the delay that would have been required to backport fixes to those versions. For applications built with Unity 2017 or 2018, the patching tool should be sufficient to keep them protected.
- If you have a situation that prevents the patching tool from being an adequate solution, please open a ticket at support.unity.com.
20. Why is the patching tool not available for Linux?
- The vulnerability presents a much lower risk on Linux compared to Android, Windows, and macOS. For the best protection, we always recommend you are on the latest patch release of the version of Unity you are using.
21. What should I do if I am distributing my game to Pico devices?
- Pico is not a supported Unity platform so we cannot be confident whether or not the platform is vulnerable. It is based on Android, so you should update your applications to be safe. We have not built our patching tool to be compatible with Pico’s platform and we have some reports from developers that our patching tool conflicts with Pico’s app hardening feature. We recommend developers wanting to ensure the vulnerability is addressed in their applications rebuild their games with our patched Editor releases.
22. Do I need to take my game or application off any platforms to ensure users are protected?
- There is no need to pull games or applications off any platforms. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. Unity has proactively provided fixes to developers that address the vulnerability, and many of our platform partners have put additional protections in place.