After a security vulnerability involving crafted save files was spotted by modders, CD Projekt Red has now rolled out a PC hotfix for Cyberpunk 2077 - meaning that particular exploit should be solved.
Hotfix 1.12 promises a fix to a vulnerability that allowed crafted save files to take advantage of a buffer overflow, which redirected the running thread to an old DLL from 2010, at a fixed address which lacked modern protections. The vulnerability meant that save files, which are normally considered a bit safer to download, could essentially be turned into executables that could carry out "any locally executed virus" on a user's PC - without the user noticing. For a more extended explanation, you can find my original story here - or simply listen to us chatting about it on this week's Eurogamer Next-Gen News Cast:
According to CDPR's tweet, this "buffer overrun issue" has now been fixed, while it seems the troublesome DLL has been "removed/replaced."
Hotfix 1.12 is now available on PC!— Cyberpunk 2077 (@CyberpunkGame) February 5, 2021
This update addresses the vulnerability that could be used as part of remote code execution (including save files):
- Fixed a buffer overrun issue.
- Removed/replaced non-ASLR DLLs. pic.twitter.com/LAkBfVpnXf
The vulnerability was initially discovered by PixelRick, who found the exploit when reverse-engineering the game to develop a save editor.
"I'd still like to remind people that some mods do contain executables files (.exe, .dll, .asi) that by nature represent a risk... and this threat is a constant one, whereas the vulnerability of sav.dat files is going to be patched," PixelRick told me earlier this week. So, you heard PixelRick: always be careful when downloading your mods, but at least this save file exploit should be fixed thanks to the hotfix.