CVE-2025-9136

EUVD-2025-25164
A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. This affects the function filestream_vscanf of the file libretro-common/streams/file_stream.c. This manipulation causes out-of-bounds read. The attack needs to be launched locally. Upgrading to version 1.21.0 mitigates this issue. It is recommended to upgrade the affected component.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDBCNA
5.3 MEDIUM
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Affected Products (NVD)
VendorProductVersion
libretroretroarch
1.18.0
libretroretroarch
1.19.0
libretroretroarch
1.20.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
retroarch
bookworm
no-dsa
bullseye
postponed
forky
1.22.2+dfsg-2
fixed
sid
1.22.2+dfsg-2
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/libretro/RetroArch/pull/17555
https://github.com/libretro/RetroArch/pull/17555#issuecomment-2651403849
https://github.com/libretro/RetroArch/pull/17555/commits/6446f045ec7fc6a5cac3e8ec35a2f0a5889c88e8
https://github.com/libretro/RetroArch/releases/tag/v1.21.0
https://vuldb.com/?ctiid.320516
https://vuldb.com/?id.320516
https://vuldb.com/?submit.617657
https://vuldb.com/?submit.617657