A researcher by the name of Vasily Kravet published a vulnerability found in steam windows version. Allegedly he passed his findings to HackerOne one for review who then reported it to steam. Steam dismissed his findings as non applicable. The vulnerability allows access to the registry which then " allows third parties to escalate their privileges to system-wide admin access". Currently this vulnerability is wide open and has not been addressed.
Honestly with all the recent security vulnerabilities going around, I would have rather the researcher bring attention to this issue without actually publishing the workings of the 'hack'. I know it would be hard but with the recent coverage of this issue, it just makes more people, maybe some bad actors, notice the hack and get around to actually doing something malicious. In the end until valve formally patches this, it is best if people be cautious of what they download on steam, especially free/low cost games since it is one of the more likely vectors of attacks. That and of course be cautious of emulators/patches/cracks like smartsteam emu and cracked steam games in general.
Source: https://amonitoring.ru/article/steamclient-0day