Unity Platform Protection: Developer Remediation Guide

A security vulnerability was identified that affects games and applications built on Unity versions 2017.1 and later for Android, Windows, Linux, and macOS operating systems. There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers. We have proactively provided fixes that address the vulnerability, and they are already available to all developers. Download the patching tool here and read on for further instructions.

Access the patching tool

Overview

A security vulnerability has been identified affecting games and applications built with Unity 2017.1 and later for Android, Windows, and macOS, and Linux. There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers. This vulnerability originates from command-line arguments that allow Unity applications to load and execute native and managed extensions. To understand how the vulnerability could affect your target platforms, refer to Platform-specific technical notes.

Important: If your project was built with any Unity version from 2017 up to today’s patched releases, it might be affected. All developers with affected projects must take action.

Remediation options

You need to take action if you have developed and released a game or application using Unity 2017.1 or later for Windows, Android, or macOS. Given the lower risk this vulnerability poses on Linux, developers will be sufficiently protected by updating to the patched versions of Unity.

Unity has released patched versions of the editor starting at 2019.1 and later. If your application was built with Unity 2019 or later, Unity recommends that you rebuild your application with a patched Unity Editor. However, Unity also provides a patching tool if you can’t rebuild your project from source, or have built with a 2017/2018 version, as outlined in the Patch built applications section.

1. Rebuild with a patched Unity Editor (Recommended)

Patched releases of each affected Unity Editor version are available to download. You can download a patched Unity Editor, then rebuild your application.

To rebuild your application with a patched Unity Editor version:

  1. Download the latest release of the Unity Editor that matches the Unity version your application was built with (e.g. Unity 6.1, Unity 2022.2, etc):
    1. Unity Hub
    2. Unity Download Archive
  2. Open your project in the updated Editor.
  3. Rebuild and retest your application.
  4. Republish to your distribution channels.

2. Patch built applications

If you cannot rebuild from source (or would like to deploy a hotfix while rebuilding your app), use the Unity Application Patcher to update your existing Android, Windows, or macOS builds.

To use the Unity Application Patcher:

  1. Download the Unity Application Patcher: Get the Tool
  2. Review the license agreement, usage guide and advanced options. Refer to the Patcher Documentation for more information.
  3. Run the patcher tool on your existing build (requires an internet connection to patch Windows or macOS builds).
  4. Test your application post-patching to ensure functionality.
  5. Republish to your distribution channels.

To understand how the Unity Application Patcher works for different platforms, refer to Platform-specific technical notes.

Notes:

  • The patcher is not compatible with builds protected by some tamper-proofing or anti-cheat solutions.
  • Always verify the integrity and functionality of your application after patching.
  • The Unity Application Patcher tool was developed with Unity 6.0 and so the corresponding Windows or macOS system requirements apply to running the tool.

Platform-specific technical notes

The following sections outline how the security vulnerability affects Android, Windows, and macOS applications, and how the Unity Application Patcher works on each platform.

Command Line
-xrsdk-pre-init-library
Affected Final Release Versions
Android, Windows, Mac, Linux: Unity 2019.1+
Description
Argument meant to be loaded from the internal Data/boot.config file causes unity to load a native library upon launch, not intended to be used as a command-line argument.
-dataFolder
Affected Final Release Versions

Windows: Unity 2022.2+ Mac: Unity 2023.2+ Linux: Unity 2022.3+

Description
Allows the data folder to be relocated and share one executable between multiple data folders.
-overrideMonoSearchPath
Affected Final Release Versions
Android 32-bit (mono), Windows (mono), Mac (mono), Linux(mono): Unity 2017+
Description
Specifies an extra folder to search when Mono is loading assemblies. This argument does nothing if IL2CPP is used.
-monoProfiler
Affected Final Release Versions
Windows (mono): Unity 2018.3+
Description
Used to initialize and configure a profiler within the Mono runtime, which can come from an external library. This argument does nothing if IL2CPP is used.

Some beta and patch releases in the release stream may be affected. See the full list of affected versions if you shipped on a non-final release.

Note: Additional OS-level measures have been deployed by Google, Meta, and Microsoft to further secure their platforms. However, you must still patch or rebuild your Unity applications to be fully secure.

Android

Note: There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers.

On Android, you need to take action if your Unity app was built with Unity 2019.1 or later, regardless of any special permissions or settings.

Additionally, if your app was built with Unity 2017 or later and uses the Mono runtime (32-bit only), it may be vulnerable. See the full list of affected versions if you shipped on a non-final release.

  • On Android, applications are generally isolated from one another, and code injection is not typically possible between apps without exploiting a vulnerability or misconfiguration.
  • The vulnerability could allow other apps on the device to launch your Unity app and inject a malicious native library via specially crafted intents and the xrsdk-pre-init-library command-line argument, or the overrideMonoSearchPath for 32-bit apps built with mono.
  • Android apps are not vulnerable to the datafolder or monoProfiler command-line arguments.

Breaking changes on Android

There are no breaking changes associated with addressing this vulnerability on Android.

Unity Application Patcher for Android

On Android, the Unity Application Patcher unpacks your APK or AAB and locally modifies libunity.so and boot.config to block the vulnerable code path, then repackages and re-signs your APK or AAB.

The Unity Application Patcher changes the xrsdk-pre-init-library string to 8rsdk-pre-init-library in both libunity.so and boot.config to block the vulnerable code path. This prevents it being used as a command-line argument (or an intent extra on android) because of the way the arguments are parsed. It can still function as a boot.config setting, so any usage within the boot.config file is also patched.

The Unity Application Patcher also disables the overrideMonoSearchPath argument for 32-bit builds with mono by replacing the first character of the overrideMonoSearchPath string in the libunity.so with an invalid unicode character 0xC0.

Windows

Note: There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers.

On desktop platforms like Windows, there are various ways to inject code into a running process. However, these methods are usually limited by system privilege levels and security boundaries. In most cases, you can only inject code into processes you started yourself, and doing so doesn’t grant you any additional capabilities beyond what your own process already has.

However, in this situation, your Unity app could be vulnerable to privilege escalation if it is registered as a custom URL schema handler. This registration could be performed by your application (for example, to support deep linking or launching from a browser), or by other applications (such as third party game launchers or store fronts).

As there is no way to prevent - or even discover - that a third party application has registered your application as a schema handler, Unity recommends you patch all Unity Windows applications as a precaution.

  • With a registered URL scheme, an attacker running code at a lower integrity level (such as from a sandboxed or less-privileged process) could exploit this Unity vulnerability to launch your app and inject a DLL, causing your application to run attacker-supplied code with higher privileges than would otherwise be possible.
  • Injection could occur via any of the vulnerable command-line arguments outlined above.

Breaking changes on Windows

  • If your app uses the -datafolder command-line argument to relocate the datafolder, you will now need to pass the custom data folder as the second argument to the UnityMain function instead:
    • int UnityMain(HINSTANCE hInst, LPCWSTR customDataFolder, LPWSTR szCmdLine, int nCmdShow)
  • If your app used xrsdk-pre-init-library as a command-line argument to switch between XR providers, Unity recommends switching to using OpenXR or providing separate builds.
  • overrideMonoSearchPath is removed, it is suggested to either build separate apps, or include all scripts into the same build.

Unity Application Patcher for Windows

For Windows builds, the Unity Application Patcher tool downloads a patched UnityPlayer.dll (or .exe for applications built with Unity 2017.1) appropriate for your Unity version and swaps it in place of the vulnerable file in your built application.

Note: The Unity Application Patcher fetches pre‑patched binaries from Unity’s servers, ensuring they have been tested and verified before you receive them.

The UnityPlayer.dll was modified to skip the vulnerable command-line parameters.

xrsdk-pre-init-library still functions as a boot.config setting.

Important: If your app uses the -datafolder command-line argument to relocate the datafolder (introduced in Unity 2022.2), you need to adopt a new pattern outlined in the Breaking changes on Windows section.

macOS

Note: There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers.

On macOS, many privileges are managed on a per-application basis, such as access to the camera or to user document folders. macOS implements multiple mechanisms to prevent abuse of these privileges, including the Hardened Runtime feature. By default, apps built with the Hardened Runtime are blocked from loading any unsigned or differently-signed code.

Use of the Hardened Runtime is required for notarization, which is recommended when distributing outside the Mac App Store. It is not strictly required for Mac App Store distribution, where apps must at least use App Sandbox. While App Sandbox restricts what an app can access on the system, it does not prevent code injection into the app’s own process. Without Hardened Runtime, techniques such as DYLD_INSERT_LIBRARIES are already possible, meaning this vulnerability does not increase exploitability in that environment. Unity still recommends patching or rebuilding all affected macOS apps to remove the vulnerable code paths, ensuring they remain secure if Hardened Runtime is enabled later or if distribution moves outside the Mac App Store.

If your application was built with Unity 2017.1 or later (with Mono scripting backend) or Unity 2019.1 or later (with any scripting backend), is built with the Hardened Runtime, and has certain runtime exceptions enabled that weaken code injection protections, you have to take action. The exceptions that could make your app vulnerable are:

  • Disable Library Validation (com.apple.security.cs.disable-library-validation) — allows loading of unsigned or differently signed plug-ins or frameworks. This can permit malicious native .dylib files to be loaded when using the xrsdk-pre-init-library or datafolder arguments.
  • Allow execution of JIT-compiled code (com.apple.security.cs.allow-jit) — can enable execution of malicious managed code if the datafolder or overrideMonoSearchPath arguments are exploited. Note that granting this exception is a requirement for all use of the Mono scripting backend.
  • Allow unsigned executable memory (com.apple.security.cs.allow-unsigned-executable-memory) — also enables malicious managed code execution if the datafolder argument is exploited.
  • App was built with Unity 2023.2+: Even without any of these exceptions, datafolder could still be exploited.

The Hardened Runtime typically blocks common code injection methods, protecting applications from such attacks. In affected Unity apps with any of the above exceptions enabled, attackers may be able to inject code via the xrsdk-pre-init-library,datafolder or overrideMonoSearchPath command-line arguments.

This may allow an attacker to inject a malicious .dylib or managed assembly within your process. It cannot grant access to permissions the app itself does not have.

Breaking changes on macOS

  • If your app uses the -datafolder command-line argument to relocate the datafolder, we recommend using symlinks instead.
  • overrideMonoSearchPath is removed, it is suggested to either build separate apps, or include all scripts into the same build.

Unity Application Patcher for macOS

For macOS projects, the Unity Application Patcher tool downloads a patched UnityPlayer.dylib appropriate for your Unity version and swaps it in place of the vulnerable file in your built application. The boot.config variable xrsdk-pre-init-library was changed to 8rsdk-pre-init-library. This prevents it being used as a command-line argument because of the way the arguments are parsed. It can still function as a boot.config setting, so we also patch any usage within the boot.config.

New behavior in Unity Application Patcher 1.3:

  • The patcher will patch UnityPlayer.dylib for all macOS applications, regardless of Hardened Runtime or entitlements.
  • Applications that use Hardened Runtime without the com.apple.security.cs.disable-library-validation entitlement will not be signed by the patcher after patching.
    • When the patcher does not sign an application, it will display a warning that you must sign the application manually or it will not run.
  • This change ensures that patched applications do not run in a weakened security state without the developer explicitly re‑signing them.

When the app is signed by the patcher, it uses an ad‑hoc signature for local testing. If your application was previously signed with a Developer ID certificate and notarized by Apple, patching will invalidate that notarization. Follow Apple’s recommendations for distributing software to re‑sign and re‑notarize before release.

Linux

Note: There is no evidence of any exploitation of the vulnerability, nor has there been any impact on users or customers.

On Linux, the vulnerable Unity command‑line arguments function similarly to the LD_PRELOAD mechanism. Under the standard Linux security model, these arguments do not cross privilege boundaries and therefore do not introduce additional risk relative to what is possible with LD_PRELOAD.

In environments such as AppArmor, bubblewrap, Firejail, or SELinux, if a restricted process can launch a Unity application outside its confinement, arbitrary code execution is already possible and this vulnerability does not add further risk. In certain SELinux or AppArmor configurations, common injection methods (LD_PRELOAD, ptrace) may be blocked while still allowing Unity to be launched with arbitrary arguments. In this case, the vulnerable arguments could bypass policy restrictions and become a viable exploit path.

Mitigation

Due to the lower risk profile, Unity has not released a Linux version of the Unity Application Patcher. If desired, particularly in environments with strict access control policies, rebuild your Linux application with a patched Unity Editor to remove the vulnerable code paths.

Other platforms (iOS, consoles, etc.)

For all other Unity-supported platforms including iOS, there have been no findings to suggest that the vulnerability is exploitable. For maximum security, Unity recommends that you rebuild your app with the latest patched Unity Editor.

Resources

Your action is required to secure your applications and protect your users. For any questions or assistance, please contact Unity Support.


FAQ

There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. The CVE security rating is “High”, and we strongly recommend updating your games and apps as soon as you can.

A CVE (Common Vulnerabilities and Exposure) is an industry standard process for disclosing security vulnerabilities based on things like ease of attack or potential damage. The severity ratings range from Low, Medium, High to Critical. For a “High” rating, it’s recommended that you patch your games or apps promptly.

For comprehensive technical details, please consult our patching tool and remediation guide and Security Advisory.

We have spoken with Valve and they will issue additional protections for the Steam client. For Windows, Microsoft Defender has been updated and will detect and block the vulnerability.

There have been no findings to suggest that the vulnerability is exploitable on these platforms. For the best protection, we always recommend you are on the latest patch release of the version of Unity you are using.

Updated versions of Unity can be used even for platforms that are not vulnerable. However, if you cannot upgrade Unity versions on unaffected platforms, we recommend integrating the patching tool into your build process as a post build step for vulnerable platforms.

In addition to Microsoft Defender, we are working with Crowdstrike, Fortinet, Sophos, BitDefender, and other EDR (Endpoint Detection and Response) vendors for additional protections.

The vulnerability was initially discovered by a third party security researcher.

To our knowledge, there is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. For comprehensive technical details, please consult our patching tool and remediation guide and Security Advisory.

We proactively provided fixes that address the vulnerability and they are already available to all developers. In addition, our platform partners have taken further steps to secure their platforms.

  • If a developer chooses not to take any action, their application or game built on 2017.1 or later may remain vulnerable and could pose a risk to consumers or device functionality, especially if the issue is later exploited.
  • Google, Meta, and Microsoft have taken further steps to secure their platforms but we still strongly recommend developers patch or recompile their games and applications as a precaution.
  • We also recommend that consumers update their devices and applications with the latest versions of software, turn on auto-updates, avoid suspicious downloads, and follow security best practices.

We have a Responsible Disclosure policy in place as a part of our ongoing collaboration with internal and external security researchers and also have a Bug Bounty program. For more information on our Bug Bounty program, contact security@unity3d.com or visit our Bug Bounty program on Bugcrowd.

  • We are continually evolving our comprehensive Secure Software Development Lifecycle (SSDLC) program as we identify risks or vulnerabilities, and leveraging opportunities to further improve the security of our products, including by updating our tooling and processes in response to new discoveries.
  • To help further improve our ability to identify and address similar vulnerabilities, we’re also enhancing our tooling strategy with new scanning tools, implementing updated guidelines, and adding additional steps to our testing process, including a comprehensive penetration testing process.

You should contact the app store in question to understand their policy for removing applications with known security vulnerabilities.

  • There is no evidence of any exploitation of the vulnerability, nor has there been any impact on end-users.
  • We have proactively provided fixes that address the vulnerability and they are already available to all developers. In addition, our platform partners have taken further steps to secure their platforms and protect end-users.
  • You can encourage your customers to update their devices and applications with the latest versions of software, turn on auto-updates, avoid suspicious downloads, and follow security best practices.

  • On Android, the patching tool modifies the libunity.so file in a way that prevents the vulnerability from being exploited.
  • On Windows, the patching tool downloads a patched UnityPlayer.dll for your game’s Unity runtime version and replaces the original one.
  • On macOS, the patching tool downloads a patched UnityPlayer.dylib for your game’s Unity runtime version and replaces the original one.
  • Please note that if an app uses tamper-proofing techniques, the patch won’t work. The only way to apply the fix safely and successfully is to rebuild the app from source.

The fix is unlikely to break most games. For more details, please reference the Remediation Guide.

We have worked with Google to allow a temporary exception to submission rules specifically for the Android SDK for applications that are already live and patched using our provided patching tool. This exception does not apply to other Google SDKs that may have their own version requirements and it may be necessary to update those SDKs before resubmission. Reach out to Google if you need further information or exceptions for your particular application.

The number of applications built with the mono runtime on Unity 2017 or 2018 that are still in circulation is quite small and didn't justify the delay that would have been required to backport fixes to those versions. For applications built with Unity 2017 or 2018, the patching tool should be sufficient to keep them protected.

If you have a situation that prevents the patching tool from being an adequate solution, please open a ticket at support.unity.com.

The vulnerability presents a much lower risk on Linux compared to Android, Windows, and macOS. For the best protection, we always recommend you are on the latest patch release of the version of Unity you are using.

Pico is not a supported Unity platform so we cannot be confident whether or not the platform is vulnerable. It is based on Android, so you should update your applications to be safe. We have not built our patching tool to be compatible with Pico's platform and we have some reports from developers that our patching tool conflicts with Pico's app hardening feature. We recommend developers wanting to ensure the vulnerability is addressed in their applications rebuild their games with our patched Editor releases.

There is no need to pull games or applications off any platforms. There is no evidence of any exploitation of the vulnerability nor has there been any impact on users or customers. Unity has proactively provided fixes to developers that address the vulnerability, and many of our platform partners have put additional protections in place.