RUSTSEC-2026-0121

Denial of service in Steamworks game clients/servers using P2P authentication

Reported

May 5, 2026

Issued

May 6, 2026

Package

steamworks (crates.io)

Type

Vulnerability

Categories

denial-of-service

Keywords

#panic

References

https://github.com/Noxime/steamworks-rs/issues/321

Patched

>=0.13.1

Affected Functions

Version

steamworks::Client::process_callbacks

<0.13.1

steamworks::Client::register_callback

<0.13.1

steamworks::Server::begin_authentication_session

<0.13.1

steamworks::User::begin_authentication_session

<0.13.1

steamworks::ValidateAuthTicketResponse::from_raw

<0.13.1

Description

Processing the raw ValidateAuthTicketResponse_t callback data panics when the m_eAuthSessionResponse field is k_EAuthSessionResponseAuthTicketNetworkIdentityFailure. This can lead to denial of service in game clients and servers using the begin_authentication_session API to authenticate players if a malicious game client sends an authentication ticket with a network identity that does not match that of the verifier.

Advisory available under CC0-1.0 license.