CVE-2025-9136

A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. This affects the function filestream_vscanf of the file libretro-common/streams/file_stream.c. This manipulation causes out-of-bounds read. The attack needs to be launched locally. Upgrading to version 1.21.0 mitigates this issue. It is recommended to upgrade the affected component.

CVSS v3 5.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:L/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 3.1 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/libretro/RetroArch/pull/17555	Issue Tracking Patch
https://github.com/libretro/RetroArch/pull/17555#issuecomment-2651403849	Issue Tracking Patch
https://github.com/libretro/RetroArch/pull/17555/commits/6446f045ec7fc6a5cac3e8ec35a2f0a5889c88e8	Patch
https://github.com/libretro/RetroArch/releases/tag/v1.21.0	Release Notes
https://vuldb.com/?ctiid.320516	Permissions Required VDB Entry
https://vuldb.com/?id.320516	Third Party Advisory VDB Entry
https://vuldb.com/?submit.617657	Third Party Advisory VDB Entry
https://vuldb.com/?submit.617657	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:libretro:retroarch:1.18.0:::::::*
	cpe:2.3:a:libretro:retroarch:1.19.0:::::::*
	cpe:2.3:a:libretro:retroarch:1.20.0:::::::*

History

12 Sep 2025, 14:55

Type	Values Removed	Values Added
CPE		cpe:2.3:a:libretro:retroarch:1.20.0:::::::* cpe:2.3:a:libretro:retroarch:1.18.0:::::::* cpe:2.3:a:libretro:retroarch:1.19.0:::::::*
First Time		Libretro Libretro retroarch
References	~~() https://github.com/libretro/RetroArch/pull/17555 -~~	() https://github.com/libretro/RetroArch/pull/17555 - Issue Tracking, Patch
References	~~() https://github.com/libretro/RetroArch/pull/17555#issuecomment-2651403849 -~~	() https://github.com/libretro/RetroArch/pull/17555#issuecomment-2651403849 - Issue Tracking, Patch
References	~~() https://github.com/libretro/RetroArch/pull/17555/commits/6446f045ec7fc6a5cac3e8ec35a2f0a5889c88e8 -~~	() https://github.com/libretro/RetroArch/pull/17555/commits/6446f045ec7fc6a5cac3e8ec35a2f0a5889c88e8 - Patch
References	~~() https://github.com/libretro/RetroArch/releases/tag/v1.21.0 -~~	() https://github.com/libretro/RetroArch/releases/tag/v1.21.0 - Release Notes
References	~~() https://vuldb.com/?ctiid.320516 -~~	() https://vuldb.com/?ctiid.320516 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.320516 -~~	() https://vuldb.com/?id.320516 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.617657 -~~	() https://vuldb.com/?submit.617657 - Third Party Advisory, VDB Entry

19 Aug 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://vuldb.com/?submit.617657 -~~	() https://vuldb.com/?submit.617657 -

19 Aug 2025, 13:42

Type	Values Removed	Values Added
Summary		(es) Se ha encontrado una falla en libretro RetroArch 1.18.0/1.19.0/1.20.0. Esta afecta a la función filestream_vscanf del archivo libretro-common/streams/file_stream.c. Esta manipulación provoca lecturas fuera de los límites. El ataque debe ejecutarse localmente. Actualizar a la versión 1.21.0 mitiga este problema. Se recomienda actualizar el componente afectado.

19 Aug 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 12:15

Updated : 2025-09-12 14:55

NVD link : CVE-2025-9136

Mitre link : CVE-2025-9136

CVE.ORG link : CVE-2025-9136

JSON object : View

Products Affected

libretro

retroarch

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-125

Out-of-bounds Read

5.3 /10