CVE-2011-2764
CVE-2011-2764 is a critical-severity vulnerability in Ioquake3 Ioquake3 Engine with a CVSS 2.0 base score of 10.0. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.
Key facts
- Severity: Critical (CVSS 2.0 base score 10.0)
- EPSS exploit prediction: 9% (94th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-20
- Affected product: Ioquake3 Ioquake3 Engine
- Published:
- Last modified:
Description
The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin' Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly determine dangerous file extensions, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file.
Frequently asked questions
- What is CVE-2011-2764?
- The FS_CheckFilenameIsNotExecutable function in qcommon/files.c in the ioQuake3 engine 1.36 and earlier, as used in World of Padman, Smokin' Guns, OpenArena, Tremulous, and ioUrbanTerror, does not properly determine dangerous file extensions, which allows remote attackers to execute arbitrary code via a crafted third-party addon that creates a Trojan horse DLL file.
- How severe is CVE-2011-2764?
- CVE-2011-2764 has a CVSS 2.0 base score of 10.0, rated critical severity.
- Is CVE-2011-2764 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 9% (94th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2011-2764?
- CVE-2011-2764 primarily affects Ioquake3 Ioquake3 Engine. In total, 7 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2011-2764?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2011-2764 published?
- CVE-2011-2764 was published on 2011-08-04 and last updated on 2026-06-16.
References
- http://archives.neohapsis.com/archives/fulldisclosure/2011-07/0338.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-August/063460.html
- http://secunia.com/advisories/45539
- http://secunia.com/advisories/45540
- http://securityreason.com/securityalert/8324
- http://svn.icculus.org/quake3?view=rev&revision=2098
- http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff
- http://www.securityfocus.com/archive/1/519051/100/0/threaded
- http://www.securityfocus.com/bid/48915
- https://bugzilla.redhat.com/show_bug.cgi?id=725951
- https://exchange.xforce.ibmcloud.com/vulnerabilities/68870
- https://security.gentoo.org/glsa/201706-23
Affected products (7)
- cpe:2.3:a:ioquake3:ioquake3_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:ioquake3:ioquake3_engine:1.36:rc1:*:*:*:*:*:*
- cpe:2.3:a:openarena:openarena:*:*:*:*:*:*:*:*
- cpe:2.3:a:smokin-guns:smokin\'_guns:*:*:*:*:*:*:*:*
- cpe:2.3:a:tremulous:tremulous:*:*:*:*:*:*:*:*
- cpe:2.3:a:urbanterror:iourbanterror:*:*:*:*:*:*:*:*
- cpe:2.3:a:worldofpadman:world_of_padman:*:*:*:*:*:*:*:*
More vulnerabilities in Ioquake3 Ioquake3 Engine
- CVE-2011-3012 — Critical (CVSS 10.0): The ioQuake3 engine, as used in World of Padman 1.2 and earlier, Tremulous 1.1.0, and ioUrbanTerror 2007-12-20, does…
- CVE-2010-5077 — High (CVSS 7.8): server/sv_main.c in Quake3 Arena, as used in ioquake3 before r1762, OpenArena, Tremulous, and other products, allows…
- CVE-2011-1412 — High (CVSS 7.5): sys/sys_unix.c in the ioQuake3 engine on Unix and Linux, as used in World of Padman 1.5.x before 1.5.1.1 and OpenArena…
- CVE-2012-3345 — Medium (CVSS 5.6): ioquake3 before r2253 allows local users to overwrite arbitrary files via a symlink attack on the /tmp/ioq3.pid…
All CVEs affecting Ioquake3 Ioquake3 Engine →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →