There's actually been a lot more of these that don't get CVEs
It's one of the reasons I prefer to game in a VM with heavy network filtering and egress only through VPN
There is little to no care from game developers about security, games with actively exploitable RCEs (see pretty much the whole CoD franchise) are just allowed to stay up on Steam
Gamers are also kinda dumb and oblivious to RATs etc which doesn't help
Not gonna lie and pretend I know how it works but qemu is capable of passing USB devices into VMs while they are connected and visible to the host kernel, and this works perfectly for me for joysticks, steering wheels and other shit
For mouse and keyboard I just use the evdev forwarding thing where you press both ctrl keys to swap between host and guest
With AMD cards it's relatively easy if you're willing to install two cards and have one of them just sit there doing nothing when you're not using the VM. It's also possible to use just one card and detach it from the host system, pass it to the VM, and then reattach back to the host system when you're done playing, although I spent multiple days on this and never got it working. YMMV, it was 2-3 years ago, the driver support may have improved.
With nvidia it ranges from difficult to impossible.
The only good working solution I found (other than PCIe passthrough or specialized GPU virtualization) is VMware stuff (with better success on Windows [as a host]), because their DirectX virtualization is top-notch. Years ago I did some random testing of my Steam library and got close to native performance.
Obviously, it means you can't use DLSS, RT, or any other GPU-specific features, but their DirectX virtualization supports up to DX12.
external peripherals is probably the easy part, given that usb passthrough almost always "just works" in my experience. The bigger problem is getting GPU passthrough working.
Naive and trusting is probably a fairer characterization. They aren't nor should they need to be security experts, the company who distributed the code should be more responsible, and more controversialy I think they should also be more culpable. We are past the startup friendly wild west stage of software technology, we know better and should expect better.
Depends on the game. The answer for me is I'm not really interested in flavour of the month online shooter games so it's never been an issue but I know plenty of people who are and just continue to modify their VM until it's not detected - it's always gonna be something you can do to hide from the AC
VAC has a number of other triggers too but doesn't care about VMs in particular. I think everyone and their dog is an expert in not tripping VAC at this point
It's mostly those annoying ACs with kernel modules like EAC, BattlEye, ESEA etc. that do anti VM in an attempt to prevent cheat devs from 1. debugging the AC without at least a little effort and 2. having a clean OS but reading guest RAM from the host to avoid the anticheat entirely
A bunch of first-party Nintendo Switch, Wii U, and 3DS games had a buffer overflow bug in a shared netcode library ("enl") which can be exploited by a remote attacker just by connecting to them in online play.
Affected titles included Mario Kart 7, Mario Kart 8, Mario Kart 8 Deluxe, Splatoon, Splatoon 2, Splatoon 3, ARMS, Super Mario Maker 2, and Nintendo Switch Sports. (The Wii U games remain unpatched.)
Just had a quick look at Luigi Auriemma's website[1] to see if he had any CVEs listed - he found a ton of interesting bugs in video games - I used to follow his work closely when I was running game servers as they often could end up impacting us & figured if anyone had some it'd be him, but surprisingly don't see any listed!
I heard EVE Online had server-side RCE exploits many years ago, not sure if it got a CVE though. I expect all games have some sort of security bug, even the completely offline ones get speedruns that exploit memory bugs to win faster.
My favorite EVE Online issue isn't a RCE/CVE, but rather just a general fuckup, where they, in an update, accidentally deleted the Windows boot.ini file off people's computers, rendering them unable to boot. https://www.eveonline.com/news/view/about-the-boot.ini-issue