CVE-2023-42801: 
Homebrew vulnerability analysis and mitigation

CVE-2023-42801 is a buffer overflow vulnerability in Moonlight-common-c, which contains the core GameStream client code shared between Moonlight clients. The vulnerability was introduced in commit f57bd745b4cbed577ea654fad4701bea4d38b44c and was later patched in commit b2497a3918a6d79808d9fd0c04734786e70d5954. The vulnerability affects multiple Moonlight client versions including Qt/PC, iOS/tvOS, Android, Chrome, Embedded, Xbox, TV, Switch, and Vita versions (GitHub Advisory).

The vulnerability exists in the extractVersionQuadFromString() function where a stack buffer overflow can occur if the appversion field in the server's /serverinfo response exceeds 127 characters. The function uses a fixed-size buffer (char versionString[128]) with an unchecked strcpy() operation, which can lead to buffer overflow. The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H. The weakness is categorized as CWE-120 (Buffer Copy without Checking Size of Input) (GitHub Advisory, NVD).

A malicious game streaming server could exploit this vulnerability to crash a Moonlight client. While Remote Code Execution (RCE) is theoretically possible, it is considered unlikely due to stack canaries present in modern compiler toolchains. The official client binaries (Qt, Android, iOS/tvOS, and Embedded) are built with stack canaries as a mitigation, though unofficial clients may lack this protection (GitHub Advisory).

The vulnerability has been patched in commit b2497a3918a6d79808d9fd0c04734786e70d5954. Users should upgrade to the following versions: Moonlight Qt/PC v5.0 or later, iOS/tvOS v9.0 or later, Android v12.0 or later, Chrome v0.10.23 or later, Embedded v2.6.1 or later, Xbox v1.14.5 or later, TV v1.6.0 or later, and Switch v0.13.4 or later (GitHub Advisory).