Victor Roemer

**Name of the Vulnerable Software and Affected Versions** ioquake3 versions prior to 2017-03-14 Quake III Arena (affected versions not specified) OpenArena (affected versions not specified) OpenJK (affected versions not specified) iortcw (affected versions not specified) id Tech 3 (aka Quake 3 engine) forks (affected versions not specified) **Description** The issue is related to the auto-downloading feature, which has insufficient content restrictions. This allows a malicious auto-downloaded file to trigger the loading of crafted auto-downloaded files as native code DLLs. A malicious file can also override the user's configuration defaults. Furthermore, executable bytecode in a malicious file can set configuration variables to values that result in unwanted native code DLLs being loaded, leading to a sandbox escape. **Recommendations** For ioquake3 versions prior to 2017-03-14, update to a version released after 2017-03-14 to resolve the issue. For Quake III Arena, OpenArena, OpenJK, iortcw, and id Tech 3 forks, at the moment, there is no information about a newer version that contains a fix for this vulnerability.