In August 2019, security experts Matt Nelson and Vasily Kravets separately disclosed a privilege escalation reported a privilege escalation vulnerability separately in Valve’s Steam client for Windows, which affects more than 96 million users globally. This vulnerability enables attackers to execute arbitrary code with maximum system privileges (NT AUTHORITY\SYSTEM) by leveraging a combination of symbolic links and opportunistic locking (oplocks), a technique known as BaitAndSwitch (TOCTOU - time of check/time of use). Attackers could exploit this flaw following an initial compromise, escalating privileges from lower-level execution contexts such as a vulnerable Steam game, a compromised Windows application, or another OS-level vulnerability.

Kravets publicly disclosed this vulnerability after Valve initially addressed his previous report inadequately. His disclosure included detailed proof-of-concept videos demonstrating how attackers could exploit the vulnerability, highlighting the serious security implications. The exploit allowed potential attackers to disable system defenses, install rootkits, and steal user data. Valve controversially banned Kravets from its HackerOne bug bounty program after the disclosure, prompting further scrutiny of Valve’s vulnerability management practices.

We made a challenge in C# and Python to replicate this vulnerability:

CashedUp.cs

Steam.py

Read more about the incident:
A new Zero-Day in Steam client impacts over 96 million Windows users - Security Affairs

Expert shows how to bypass a fix for a recently discovered Steam flaw