A patch fixes exploit hidden in Elden Ring that traps PC players in a ‘death loop.’

The latest installment of the Dark Souls gaming franchise, Elden Ring, contains a security vulnerability that allows bad actors to throw players on PCs into an endless loop of losing their characters’ lives, rendering it essentially unplayable.

Malwarebytes Labs researcher Christopher Boyd said Thursday that the bug appears to be a remote code-execution flaw that is being exploited to render the game unplayable for victims.

The late February release of Elden Ring went off smoothly for a time, and PC players were able to access online play without incident. In fact, on March 16, the Tokyo-based company announced that the sandbox game had sold 1 million units in Japan and more than 12 million worldwide.

Infosec Insiders Newsletter

The backstory behind Elden Ring was written by George R.R. Martin, the author of the book used as the source material create the hit television epic, “Game of Thrones.”

“It’s astonishing to see just how many people have been playing ‘Elden Ring,’” FromSoftware CEO Hidetaka Miyazaki said. “I’d like to extend our heartfelt thanks on behalf of the entire development team. ‘Elden Ring’ is based on a mythological story written by George R. R. Martin. We hope players enjoy a high level of freedom when adventuring through its vast world, exploring its many secrets, and facing up to its many threats.”

Elden Ring’s ‘Death Loop’

The smooth sailing ended about a week ago, when attackers found a way to break into PC players’ games and throw their avatars into an endless loop of dying, coming back and quickly dying again, something Boyd referred to as a “death loop.”

“After the first time your character dies, you’re supposed to respawn at locations resembling a bonfire, Instead, in the death loop scenario the victim simply continues to die over and over again,” Boyd explained.

One player tweeted about the bug in the latest Souls’ game.

“There’s an exploit going around on PC where hackers will corrupt your save file while you’re invaded,” the player tweeted. “First, they will crash your game, and when you open it back up, your character will be constantly falling to their death…”

Boyd said no one is exactly sure what’s going on, since FromSoftware hasn’t released any specifics about the exploit.

“One of the theories from players is that the invaders were able to edit their save files somehow while in game, or at least adjust some parameters related to the victim’s save points,” Boyd added. “In other words: You no longer spawn at the nearest bonfire. You respawn somewhere over the nearby ocean and die instantly on account of not being able to swim.”

The only way for PC players to completely avoid the possibility of falling victim to the bug is to switch off online play, Boyd advised.

“Anyone trapped in a death loop has to attempt an ALT + F4/rapid-fire sequence of button presses in menus to try to manually respawn at a bonfire,” Boyd said. “This, as it turns out, isn’t easy to do.”

The good news is that FromSoftware has released an Elden Ring patch for this exploit, as well as others impacting players. Players without the update will be barred from online play, the company added.

Other Dark Nights of the Soul for Dark Souls

This isn’t the first time that the developer has faced issues with the Dark Souls series. Boyd pointed out that in January, leading up to the Elden Ring release, developer FromSoftware was confronted with a similar RCE exploit in Dark Souls 3 that forced it to shut down online play for PC players.

The flaw could allow attackers to do pretty much anything: As Kaspersky researchers explained at the time, the bug “allows an attacker to execute almost any program on the victim’s computer, so they’re able to steal confidential data or execute any program they wish” – that includes installing malware, letting them access sensitive information or enabling them to rip off resources for cryptocurrency mining.

The vulnerability also affected earlier games in the Dark Soul series, leading the developers to temporarily turn off player-versus-player (PvP) servers across Dark Souls Remastered, Dark Souls II and Dark Souls III. PvP refers to players being able to interact and duel with each other.

“Hopefully the last we’ll see of game invading/save locking/character murdering exploits along these lines,” Boyd explained. “Save points in Souls titles are supposed to be the one safe breathing space in the entire game. To have them corrupted or tampered with and cursed with instant death is probably a bridge too far for even the most hardcore of Souls players.”

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.