PS4 Vue Userland Code Execution Exploit

Complete technical guide to PlayStation Vue userland exploitation. CVE-2017-7117 userland primitive chained with Lapse and Netctrl kernel exploits across firmware 7.00–13.00 with comprehensive documentation, setup procedures, and community resources.

📅 Published: 20 Feb 2026 📚 Category: PS4 Exploitation 🔗 Source: Vuemony/vue-after-free ⏱️ Read Time: 15+ minutes
📞 Need Help or Having Issues? Join the official Discord server for support, community discussion, and real-time assistance from project maintainers and experienced users.

📑 Table of Contents

Vue After Free Userland Overview

Vue-After-Free is a PlayStation userland code execution exploit targeting Sony's PlayStation Vue application on PS4 consoles. The project represents collaborative security research and practical exploitation of CVE-2017-7117 across multiple PS4 firmware versions.

The exploit chain combines userland exploitation through the Vue application with firmware-specific kernel exploitation primitives (Lapse and Netctrl/Poopsploit), enabling full system compromise and jailbreak on supported firmware versions.

Vulnerability & CVE Context

Deprecated Approach: CVE-2018-4441

During development, CVE-2018-4441 was evaluated as a potential userland exploitation vector. However, extensive testing revealed critical performance and reliability issues:

Due to these limitations, CVE-2018-4441 was deprioritized and ultimately dropped from active development.

Active Implementation: CVE-2017-7117

CVE-2017-7117 serves as the primary userland exploitation primitive in this project. This vulnerability has demonstrated reliable code execution and has been successfully chained with both Lapse and Netctrl/Poopsploit kernel exploits across their respective supported firmware ranges.

Vulnerability Scope & Compatibility Matrix

Exploit Component Coverage

The project documents separate coverage windows for each exploitation component:

Exploit Component Type Supported Firmware
vue-after-free Userland 5.05 – 13.04
Lapse Kernel Exploit (KEX) 1.01 – 12.02
Netctrl (Poopsploit) Kernel Exploit (KEX) 1.01 – 13.00

Repository Functionally Tested Range

The current version of this repository provides a functionally tested complete jailbreak chain for the following firmware versions:

7.00 to 13.00

Kernel Exploit Selection Strategy

Extended Userland Window

The userland exploitation component operates across a broader range: 5.05 to 13.02 are documented as functional userland exploitation ranges. However, full jailbreak chaining has practical limitations at firmware 13.02 and above due to kernel exploit availability constraints.

Comprehensive FAQ

This section addresses common user questions and technical considerations:

❓ Will this work on 13.02 or above?

Only the userland exploitation layer will function. You cannot achieve a full jailbreak above firmware 13.00 with the files provided in this repository. Userland-only behavior may differ across firmware versions.

❓ Do I need an internet connection?

You need any form of network connection, not specifically the internet. Mobile phone hotspot, local WiFi, or any available network works. Vue requires network connectivity and will display "There was a problem connecting to the internet" if unavailable. See Connection Instructions section.

❓ Getting "There is a network communication issue" error?

This indicates either Vue has automatically updated or your save file has reset. Use your own profile backup save, or if using the system backup from this repo, unpack encryptedsavebackup.zip to USB and import via PS4 saved data management.

❓ Getting "This service requires you to sign in to PlayStation Network" error?

Your Vue app most likely updated automatically. This typically occurs when not using DNS or proper Sony server blocking. Delete and reinstall the Vue application to resolve. Ensure DNS settings are properly configured before reopening.

❓ Vue app crashed during exploit attempt?

App crashes indicate exploit failure. Cleanly shut down the console and attempt the exploit sequence again. Multiple attempts may be necessary due to timing-dependent nature of the exploit.

❓ Console shut down during exploit attempt?

If a kernel panic occurred, press the power button on your console twice to force recovery mode, then retry running the exploit.

❓ How can I run a payload?

Closing and reopening Vue is required between running JavaScript payloads. However, .bin or .elf payloads can be executed sequentially without restarting. Select payloads from the UI Payload Menu.

❓ Can I run the jailbreak offline?

No. PS Vue requires an active network connection of some kind. Internet is not required—you can use home WiFi, mobile phone hotspot, ESP32 microcontroller network, or Ethernet from repurposed PPPwn devices.

❓ My payload is not recognized. What should I do?

Format your USB drive to MBR partition table with exFAT filesystem. This ensures proper payload detection and compatibility.

Important Operational Notes

⚠️ Save File Integrity: The Vue save file may occasionally reset. To prevent compatibility issues, copy the encrypted save to USB from PS4 settings menu (using your jailbreak account) for easy future recovery and backup.
⚠️ NP Environment: Do NOT change your NP environment via Debug Settings. This will cause inability to use backup save files and incompatibility with the np-fake-signin payload.

Requirements

For Jailbroken PS4

If your console is already jailbroken, you will need:

For Non-Jailbroken PS4

If starting from a stock, unmodified console:

🚨 Critical Warning: Restoring from a system backup will erase all data on your console. The backup will then apply the Vue app and exploit data. Backup any important personal data before proceeding.

Setup Instructions

Jailbroken PS4 Setup Path

Follow these steps if your PlayStation 4 already has an established jailbreak environment. A network connection (of any kind) is required before attempting to run Vue.

  1. Jailbreak your console using your preferred jailbreak method
  2. Enable FTP access on the console
  3. Install Apollo Save Tool from official releases
  4. Download PS Vue 1.01 base package and 1.24 patch; place both on USB
  5. In Apollo Save Tool, perform fake account activation: User Tools > Activate PS4 Accounts, press R2, then X, then hold O until XMB exit prompt, accept with X, restart console and re-jailbreak
  6. Connect to your console via FTP from your computer
  7. Download VueManualSetup.7z from project releases
  8. Via FTP, navigate to path /user/download/CUSA00960/ (create if needed) and place download0.dat there
  9. On your USB, unpack save.zip from VueManualSetup. Files appear as USB Saves in Apollo, togglable in Settings > USB Saves Sources
  10. In USB root, place HEN or GoldHEN named as payload.bin (or place in /data/ for persistent loading without USB)
  11. Plug USB into console
  12. In Apollo Save Tool, navigate to USB Saves, select PS Vue save (CUSA00960), choose "Copy save game to HDD"
  13. Install PS Vue 1.01 from package installer with "Background Installation" disabled; when prompted about re-installing, press yes; then install 1.24 patch
  14. Reboot console and open PS Vue to trigger exploit via jailbreak button or configure autoloader
  15. Optional: After jailbreaking, run np-fake-signin payload to suppress initial PSN sign-in pop-up

Non-Jailbroken PS4 Setup Path

Follow these steps if starting from an unmodified, stock PS4. A network connection is required; review network security instructions below before connecting.

  1. Format your USB drive to exFAT with MBR partition table
  2. Download VueSystemBackup.7z from project releases
  3. Unpack all contents of the archive to your USB drive
  4. Plug USB into your PS4 console
  5. If you have a legitimate PSN account with savedata, navigate to Settings > Application Saved Data Management > Saved Data in System Storage and backup to USB (requires sufficient space)
  6. Navigate to Settings > Storage > System Storage > Capture Gallery > All and backup captures to USB (requires sufficient space)
  7. Navigate to Settings > System > Back Up and Restore > Restore PS4, select the system backup from USB, and initiate restore
  8. Console reboots with fake-activated user account, Vue app, and exploit data ready
  9. In USB root, place HEN or GoldHEN named payload.bin (will load from /data/ in future, USB not required after first run)
  10. Open PS Vue and trigger exploit via jailbreak button or configure autoloader
  11. Optional: After jailbreaking, run np-fake-signin payload
  12. Default account ID on system backup: "1111111111111111" (locked, cannot change)
  13. To use a different account: Create new user, fake-activate via Apollo, then follow jailbroken PS4 setup steps

Creating a Separate User Account

If you want to use a custom account ID instead of the default system backup account:

  1. Create a new user on the PS4
  2. In Apollo Save Tool, go to User Tools > Activate PS4 Accounts, select your new user, optionally specify custom Account ID, reboot console
  3. From USB, unpack save.zip from VueManualSetup.zip in releases
  4. In Apollo Save Tool, go to USB Saves, select PS Vue save (CUSA00960), choose "Copy save game to HDD"
  5. Sign in as your new user and follow jailbroken PS4 setup instructions with that account

Updating Vue Exploit

To update an existing Vue exploitation installation:

  1. Download updated VueManualSetup.7z from releases
  2. Via FTP (while jailbroken), replace download0.dat in /user/download/CUSA000960/
  3. Delete download0_info.dat in the same path

Connecting to the Internet

Disable Automatic Updates (Critical First Step)

Before connecting to any network, disable automatic system updates to prevent interference with Vue:

  1. Navigate to PS4 Settings > System > Automatic Downloads
  2. Uncheck "Featured Content"
  3. Uncheck "System Software Update Files"
  4. Uncheck "Application Update Files"

Configure Internet Connection

  1. Navigate to Settings > Network > Set Up Internet Connection
  2. Choose your connection type:
    • WiFi: Select Custom, scroll to Set Up Manually, select Enter Manually, enter network name, set security to "WPA-PSK/WPA2-PSK", enter password
    • LAN Cable: Select Custom and proceed to next step
  3. IP Address Settings: Set to Automatic
  4. DHCP Host Name: Choose Do not Specify
  5. DNS Settings: Choose Manual
  6. Primary DNS: Set to either:
    • 127.0.0.2 — Limits console to local network only, blocks Sony servers
    • 62.210.38.117 — Nomadic DNS; blocks Sony servers but allows normal internet connection
  7. Secondary DNS: Leave blank
  8. MTU Settings: Set to Automatic
  9. Proxy Server: Choose Do Not Use
  10. Press Test Internet Connection and wait for establishment

DNS Configuration Behavior

Understanding Test Results: If the connection test fails but you got an IP address, your DNS is working correctly (Sony servers are blocked). If you get a successful internet connection on the test, the DNS setting may not have applied due to local network constraints—try using 127.0.0.2 instead.

Important: The internet connection test failure does not mean your console cannot connect to the internet. It means the console cannot reach Sony's servers, which is the intended behavior for preventing update interference.

Payloads & Configuration

Preloaded Payloads

Vue-After-Free includes several built-in payloads for common operations:

Configuration Options

Vue includes configurable options for exploit automation and operational behavior:

Automatic Payload Execution

In config.js, you can register .bin or .elf files for automatic execution post-exploit:

/mnt/sandbox/download/CUSA00960/payloads/kernel_dumper.bin

Note: Do not add HEN or GoldHEN here—they load automatically via USB or /data/ directory.

Payload Management Guidelines

Credits & Acknowledgments

Vue-After-Free represents collaborative research across exploit development, kernel integration, user interface design, and community support. The following individuals and projects have made substantial contributions:

Core Development Team

c0w-ar
Lapse and Netctrl porting, Reverse Engineering
earthonion
UI design, JS injection foundation, Payload host, Netctrl porting, Binloader, Reverse engineering
ufm42
Userland Exploit primitive, Reverse Engineering
D-Link Turtle (iMrDJAi)
General support for userland exploitation
Gezine
Local JavaScript methods, PSN bypass research
Helloyunho
TypeScript port, Reverse Engineering
Dr.Yenyen
Extensive testing, Quality control, End-user support and feedback
Al-Azif
Exploit table reference, Retail application advice, Lapse AIO Fix kpatches, 12.50–13.00 kpatches

Exploitation Framework Credits

abc
Lapse kernel exploit development
TheFlow (TheOfficialFloW)
Netctrl kernel exploit
Lua Loader Project
Remote Lua loader foundation reference
Cryptogenic
Reference implementation for CVE-2018-4441
rebelle3
Reference implementation for CVE-2017-7117

Payload Component Sources

📚 Additional Resources

For the latest updates, official discussion, community support, and additional technical documentation:

→ GitHub: Vuemony/vue-after-free