A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. This affects the function filestreamvscanf of the file libretro-common/streams/filestream.c. This manipulation causes out-of-bounds read. The attack needs to be launched locally. Upgrading to version 1.21.0 mitigates this issue. It is recommended to upgrade the affected component.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9136.json",
"cwe_ids": [
"CWE-119",
"CWE-125"
],
"cna_assigner": "VulDB"
}{
"cpe": [
"cpe:2.3:a:libretro:retroarch:1.18.0:*:*:*:*:*:*:*",
"cpe:2.3:a:libretro:retroarch:1.19.0:*:*:*:*:*:*:*",
"cpe:2.3:a:libretro:retroarch:1.20.0:*:*:*:*:*:*:*"
],
"source": [
"CPE_STRING",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "1.18.0"
},
{
"last_affected": "1.18.0"
},
{
"introduced": "1.19.0"
},
{
"last_affected": "1.19.0"
},
{
"introduced": "1.20.0"
},
{
"last_affected": "1.20.0"
}
]
}[
{
"source": "https://github.com/libretro/retroarch/commit/baee906ef35b99283f9a1a060a2ce5ac86159b63",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"162130292249561628995292910053568097266",
"104233414859600926999355377536257743004",
"275555340370035838723121499190249855421",
"31197233573006035040717687183948115921",
"179004751844918075094493772847165307698",
"113764577284056271462296503714666276514",
"304309488201460837403500241858649070972",
"20630829578703174806765896117201432299",
"58173172064838131176129572744920503960",
"142390608580966376141626708518646052222",
"270758395646241429422823373288930668189",
"39501854110945206812773579996634961403",
"163347918905136091178195296640668855307",
"287938170996493099903981548407640795903",
"44448250689535972117553601694729305418",
"126121228482533360863180728672447905076",
"180275390088060099664797986433919036345",
"80889267640754184463047191182237461458",
"122068585085273247580325221214005376697",
"94873290190405394063290521134034228729",
"142934264361897551883884569450713268604",
"304177897816737473887252941963450717486",
"224313558672437982068575275592983905576",
"176210693052513318015081939572385856682",
"153634750677366415484112833044766923111",
"174773008867821174327371414093428875635",
"297269679670223725786803897610248047519",
"326078679690443017672003420142674106794",
"109567567707342438988479472337046410363",
"20104757887562145648916406276428825158",
"304227438736338361059540722670052425985",
"331607367363649912258744977498644487627",
"13383025752378841293157691675998985513",
"29427642055489523561171925055080975334",
"20015585946893174619669504507583515691",
"136886405544586818238068869992195225694",
"36029107567929509503560949576417973926",
"148779020000975884667708686495359107116",
"104474807874479018672964192187079292255",
"248458335180776126300305986067560779747",
"230483819337565089079293492318522142384",
"173020016269616863497426203858235537161",
"146073547200348231750333216744664309819",
"289885284131664385753345928692266892932",
"89415806950232637874450181197379595780",
"312130838917650859996758762281285512103",
"247787824796290150835911388198624496781",
"203999560540548640633351556583957560325",
"118446566762895884438628635630548680497",
"167967182833807986250345722623724727732",
"239629158866681684129302459334651585174",
"60079397004960820303804168722131507725",
"275024496457848631741583414247788920079",
"204295953773835827066980120075032389518",
"279821375572813404350032540922526442034",
"48717913420204460721871840063009104013",
"283408245334051739119623992764613810821",
"3870256925316747954190771692710440088",
"85827202543500371738429792067590793020",
"209517369757264857556424792308807876364",
"214552464714877324698719240883313247789",
"225897069819641669169447649255054956646",
"166022520763623461409595337004150080049",
"234201375690433364581198449630371524917",
"117327837902705506101186742689669922130",
"132034518603959268472300395364928905351",
"79557829758576537697284163404676134648",
"102075902844047038559443845588552465448",
"161175829640817765166057062327461038546",
"285273693728677811726151746144742474774",
"281065099595218720617967543612199686757",
"230606646705705852434134144432791411853",
"289106673939788233649249453453484157044",
"152062647520893244723832858750988776663",
"53113419180698156306913118155927766346",
"144508902598136657929227792907641403294",
"58887346544642054996297585803328825947",
"65563254033639000419934020853189711186",
"240305624807290968682462615858840191369",
"337619581966343291557998196676479733226"
]
},
"id": "CVE-2025-9136-ff273b6a",
"signature_type": "Line",
"target": {
"file": "intl/msg_hash_sv.h"
}
}
]
"2026-07-15T20:06:20Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9136.json"