CVE-2025-9136

A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. This affects the function filestream_vscanf of the file libretro-common/streams/file_stream.c. This manipulation causes out-of-bounds read. The attack needs to be launched locally. Upgrading to version 1.21.0 mitigates this issue. It is recommended to upgrade the affected component.

CVSS v3 5.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 3.1 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/libretro/RetroArch/pull/17555
https://github.com/libretro/RetroArch/pull/17555#issuecomment-2651403849
https://github.com/libretro/RetroArch/pull/17555/commits/6446f045ec7fc6a5cac3e8ec35a2f0a5889c88e8
https://github.com/libretro/RetroArch/releases/tag/v1.21.0
https://vuldb.com/?ctiid.320516
https://vuldb.com/?id.320516
https://vuldb.com/?submit.617657
https://vuldb.com/?submit.617657

Configurations

No configuration.

History

19 Aug 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://vuldb.com/?submit.617657 -~~	() https://vuldb.com/?submit.617657 -

19 Aug 2025, 13:42

Type	Values Removed	Values Added
Summary		(es) Se ha encontrado una falla en libretro RetroArch 1.18.0/1.19.0/1.20.0. Esta afecta a la función filestream_vscanf del archivo libretro-common/streams/file_stream.c. Esta manipulación provoca lecturas fuera de los límites. El ataque debe ejecutarse localmente. Actualizar a la versión 1.21.0 mitiga este problema. Se recomienda actualizar el componente afectado.

19 Aug 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-19 12:15

Updated : 2025-08-19 14:15

NVD link : CVE-2025-9136

Mitre link : CVE-2025-9136

CVE.ORG link : CVE-2025-9136

JSON object : View

Products Affected

No product.

CWE

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-125

Out-of-bounds Read

{"id": "CVE-2025-9136", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.1, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.8, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-19T12:15:27.390", "references": [{"url": "https://github.com/libretro/RetroArch/pull/17555", "source": "cna@vuldb.com"}, {"url": "https://github.com/libretro/RetroArch/pull/17555#issuecomment-2651403849", "source": "cna@vuldb.com"}, {"url": "https://github.com/libretro/RetroArch/pull/17555/commits/6446f045ec7fc6a5cac3e8ec35a2f0a5889c88e8", "source": "cna@vuldb.com"}, {"url": "https://github.com/libretro/RetroArch/releases/tag/v1.21.0", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?ctiid.320516", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.320516", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.617657", "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?submit.617657", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. This affects the function filestream_vscanf of the file libretro-common/streams/file_stream.c. This manipulation causes out-of-bounds read. The attack needs to be launched locally. Upgrading to version 1.21.0 mitigates this issue. It is recommended to upgrade the affected component."}, {"lang": "es", "value": "Se ha encontrado una falla en libretro RetroArch 1.18.0/1.19.0/1.20.0. Esta afecta a la funci\u00f3n filestream_vscanf del archivo libretro-common/streams/file_stream.c. Esta manipulaci\u00f3n provoca lecturas fuera de los l\u00edmites. El ataque debe ejecutarse localmente. Actualizar a la versi\u00f3n 1.21.0 mitiga este problema. Se recomienda actualizar el componente afectado."}], "lastModified": "2025-08-19T14:15:43.947", "sourceIdentifier": "cna@vuldb.com"}