Unity Runtime Argument Injection Vulnerability Allowing Arbitrary Code Execution

A vulnerability exists in the Unity Runtime on Android, Windows, macOS, and Linux, prior to the October 2, 2025 update. This vulnerability allows argument injection, enabling the loading of library code from unintended locations. Applications built with vulnerable Unity Editor versions may be exploited to execute code and exfiltrate confidential information from the user's machine. On Windows, the risk of exploitation could be increased if the application has a registered custom URI handler.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution within the context of the affected Unity application, allowing access to the application's permissions and data. On Windows, the presence of a registered custom URI handler for the vulnerable application could further increase the risk of exploitation.

Reproduction

The vulnerability can be reproduced by installing a malicious application on the same device as the target Unity application. The malicious app can send an intent to the Unity application, injecting command line arguments that specify a path to a malicious shared library. When the Unity application loads the library, the injected code is executed with the application's permissions. This vulnerability can also be exploited remotely under certain conditions, such as through a web browser, by sending a specially crafted intent that includes the malicious library path.

Remediation

Developers are advised to update the Unity Editor to the latest version, rebuild their applications, and republish them. Unity has also provided a Binary Patch tool to replace the vulnerable runtime library with a patched version.