VTubing software Live2D has reported a security vulnerability in Live2D Cubism Core. According to the software developer’s findings, the vulnerability allows malicious code to be executed through modified MOC3 files.
Live2D is now investigating this issue under the advice of external security experts and is working on a software version that fixes the vulnerability within the next few days.
“This vulnerability occurs when an application runs a maliciously modified MOC3 file,” Live2D Inc. wrote in its report last week.
“Having the modified MOC3 file loaded into the target Cubism Core may cause out-of-range memory writes and crash the application.”
Live2D advises that users can continue to use MOC3 files created by themselves or trusted parties without any concern.
Live2D advises its users to take the following precautions to protect themselves from malicious MOC3 files:
- Do not open MOC3 files from unknown sources.
- Open MOC3 files obtained from trusted sources.
- Keep applications (mentioned above) that use indefinite numbers of MOC3 files up to date.
VTube studio, a widely used VTubing app, shared Live2D’s report with the following advice:
- Most Live2D tracking apps are affected by this.
- Only specially crafted MOC3 files are affected. Files you got from your rigger or trusted people online are safe.
- For VTube Studio, this includes Live2D Models and Live2D Items.
- You should be careful when loading model files from random strangers online, at least for the time being.
- Please keep your Live2D apps updated at all times.
VTube Studio suspended Live2D model and assets from being downloaded from the workshop while the flaw is being investigated. The change was implemented to keep users safe, and the features will be enabled once the vulnerability has been fixed.