CVE-2025-9136

CVE-2025-9136

Name

CVE-2025-9136

Description

A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. This affects the function filestream_vscanf of the file libretro-common/streams/file_stream.c. This manipulation causes out-of-bounds read. The attack needs to be launched locally. Upgrading to version 1.21.0 mitigates this issue. It is recommended to upgrade the affected component.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
issue-tracking	https://github.com/libretro/RetroArch/pull/17555
issue-tracking	https://github.com/libretro/RetroArch/pull/17555#issuecomment-2651403849
issue-tracking	https://github.com/libretro/RetroArch/pull/17555/commits/6446f045ec7fc6a5cac3e8ec35a2f0a5889c88e8
patch	https://github.com/libretro/RetroArch/releases/tag/v1.21.0
signature	https://vuldb.com/?ctiid.320516
vdb-entry	https://vuldb.com/?id.320516
third-party-advisory	https://vuldb.com/?submit.617657

Type

URI

issue-tracking

https://github.com/libretro/RetroArch/pull/17555

issue-tracking

https://github.com/libretro/RetroArch/pull/17555#issuecomment-2651403849

issue-tracking

https://github.com/libretro/RetroArch/pull/17555/commits/6446f045ec7fc6a5cac3e8ec35a2f0a5889c88e8

patch

https://github.com/libretro/RetroArch/releases/tag/v1.21.0

signature

https://vuldb.com/?ctiid.320516

vdb-entry

https://vuldb.com/?id.320516

third-party-advisory

https://vuldb.com/?submit.617657

Match rules

CPE URI	Source package	Min version	Max version
	retroarch	== 1.18.0	== 1.18.0
	retroarch	== 1.19.0	== 1.19.0
	retroarch	== 1.20.0	== 1.20.0
	retroarch	== 1.21.0	== 1.21.0
`cpe:2.3:a:libretro:retroarch:1.18.0:::::::*`	retroarch	== None	== 1.18.0
`cpe:2.3:a:libretro:retroarch:1.19.0:::::::*`	retroarch	== None	== 1.19.0
`cpe:2.3:a:libretro:retroarch:1.20.0:::::::*`	retroarch	== None	== 1.20.0

CPE URI

Source package

Min version

Max version

retroarch

== 1.18.0

retroarch

== 1.19.0

retroarch

== 1.20.0

retroarch

== 1.21.0

cpe:2.3:a:libretro:retroarch:1.18.0:*:*:*:*:*:*:*

retroarch

== None

== 1.18.0

cpe:2.3:a:libretro:retroarch:1.19.0:*:*:*:*:*:*:*

retroarch

== None

== 1.19.0

cpe:2.3:a:libretro:retroarch:1.20.0:*:*:*:*:*:*:*

retroarch

== None

== 1.20.0

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
retroarch	edge-community	1.20.0-r4	David Demelier <markand@malikania.fr>	possibly vulnerable
retroarch	edge-community	1.20.0-r3	David Demelier <markand@malikania.fr>	possibly vulnerable
retroarch	edge-community	1.20.0-r2	David Demelier <markand@malikania.fr>	possibly vulnerable
retroarch	edge-community	1.20.0-r1	David Demelier <markand@malikania.fr>	possibly vulnerable
retroarch	edge-community	1.20.0-r0	David Demelier <markand@malikania.fr>	possibly vulnerable
retroarch	3.22-community	1.20.0-r1	David Demelier <markand@malikania.fr>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

retroarch

edge-community

1.20.0-r4

David Demelier <markand@malikania.fr>

possibly vulnerable

retroarch

edge-community