A recent security warning from Microsoft has sent shockwaves through the mobile game development community, as a critical vulnerability in the Unity Gaming Engine Editor (CVE-2026-59489) has been discovered. This flaw has far-reaching implications, potentially affecting popular games across multiple platforms.

The affected platforms include Android, Windows 10 and 11, Linux Desktop and Embedded, and MacOS, while Xbox and Steam users are reportedly unaffected due to their systems blocking the attack vector from Command Line.

To address this vulnerability, Microsoft has updated Microsoft Defender to recognize and block exploitation attempts (version 1.437.296.0). If you're a Microsoft Defender user, be sure to keep your antivirus database up-to-date.

Games Affected:

Some Unity Editor-based games that use vulnerable versions are recommended for temporary removal, including:

  • Pillars of Eternity (including Hero Edition, Definitive Edition, Deadfire)
  • Hearthstone
  • The Elder Scrolls (Legends, Blades, Castles, Companion App Oblivion Remastered)
  • DOOM (2019, DOOM II, Dark Ages Companion App)
  • Wasteland Remastered, Wasteland 3
  • Fallout Shelter
  • Zoo Tycoon Friends, Halo Recruit, Gears POP!
  • Microsoft Mesh PC Applications, Starfield Companion App, Avowed Artbook
  • Knights and Bikes, Ghostwide Tokyo Prelude, Warcraft Rumble
  • The Bard's Tale Trilogy, Forza Customs, Mighty Doom

This vulnerability can have serious consequences, allowing attackers to force Unity applications to load malicious libraries and execute remote code (RCE), as well as gain higher-level access to systems, such as root or administrator privileges. With many Unity-based games requesting broad permissions (accessing files, networks, etc.), attackers could read sensitive data or interact with other applications, including cryptocurrency wallets on Android.

Recommendation:

Until further information is available from developers or publishers, it's recommended to remove affected apps until updates are issued. Some publishers, such as Obsidian, have already pulled games from digital stores to prevent exploitation.

Source: Microsoft, Video Game Chronicle