A buffer overflow occurs during the parsing of object sprite names in .h3m map files for Heroes of Might and Magic III. The overflow is triggered by a crafted object name that exceeds the intended buffer size, overwriting control data and potentially allowing execution of arbitrary code within the game process. The weakness aligns with CWE‑121 (Stack‑Based Buffer Overflow), CWE‑20 (Improper Input Validation), and CWE‑94 (Improper Control of Generation of Code). If successfully exploited, an attacker can run arbitrary code with the privileges of the user running the game, compromising confidentiality, integrity, and availability of the host system.

The vulnerability applies to 3DO Company’s Heroes of Might and Magic III, specifically the Complete 4.0.0.0 release, HD Mod 3.808 build 9, and the Demo 1.0.0.0 build. All affected versions parse .h3m files in the same manner that triggers the overflow, so any installation of these builds is vulnerable. No other vendors, products, firmware, or external devices are impacted.

The CVSS score of 8.4 classifies this issue as high severity. An EPSS score of 13% indicates a moderate likelihood of exploitation in the wild. The vulnerability is currently not listed in the CISA KEV catalog, but the existence of a public Metasploit module and Exploit‑DB references shows that attackers can weaponize the flaw. Exploitation requires a victim to launch the game and open a malicious map file, so the attack vector is primarily local or file‑based; it can be triggered by social engineering or malicious downloads.