Talos Vulnerability Report


GOG Galaxy Games fillProcessInformationForPids information leak vulnerability

March 26, 2019
CVE Number



An exploitable local information leak vulnerability exists in the privileged helper tool of GOG Galaxy’s Games, version 1.2.47 for macOS. An attacker can pass a PID and receive information running on it that would usually only be accessible to the root user.

Tested Versions

Gog Galaxy 1.2.47 (macOS)

Product URLs


CVSSv3 Score

6.2 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N


CWE-19: Improper Input Validation


GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy installs a helper tool service with root privileges. This tool listens for connections and uses the provided protocol to dispatch functionality out.

The vulnerability arises in the fillProcessInformationForPids. This function takes an array of process id’s and fills in a process structure based on the information returned. The function uses proc_pidinfo to gather this information. Traditionally, a user should only be able to access information about processes running with the same privilege. This information is then passed back to the caller via objective-c closures. If an attacker passes in values of root processes, sensitive information is returned, creating an information disclosure vulnerability.


2018-11-20 - Vendor Disclosure
2018-12-14 - Vendor Patched
2019-03-26 - Public Release


Discovered by Tyler Bohan of Cisco Talos.