Overview
- Games and apps built with Unity 2017.1 or later on Windows, macOS, Android, and Linux may contain the vulnerability, which Unity rates high severity with a CVSS score of 8.4.
- The flaw enables unsafe file loading and local file inclusion that could allow code execution and data exfiltration at the affected application's privilege level.
- Unity discovered the issue on June 4 and issued fixes on October 2, advising developers to recompile and republish affected titles.
- An official patcher is available for Windows, macOS, and Android builds, but it does not support Linux or tamper‑protected and anti‑cheat configurations.
- Valve updated Steam with mitigations, Microsoft Defender now detects and blocks the vulnerability on Windows, and Unity notes no findings suggesting exploitation on iOS, visionOS, tvOS, Xbox, Switch, PlayStation, UWP, Quest, or WebGL.