CVE-2025-9136

Source
https://cve.org/CVERecord?id=CVE-2025-9136
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9136.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-9136
Downstream
Published
2025-08-19T11:32:08.147Z
Modified
2026-07-15T20:06:20.076393Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X CVSS Calculator
Summary
libretro RetroArch file_stream.c filestream_vscanf out-of-bounds
Details

A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. This affects the function filestreamvscanf of the file libretro-common/streams/filestream.c. This manipulation causes out-of-bounds read. The attack needs to be launched locally. Upgrading to version 1.21.0 mitigates this issue. It is recommended to upgrade the affected component.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/9xxx/CVE-2025-9136.json",
    "cwe_ids": [
        "CWE-119",
        "CWE-125"
    ],
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/libretro/retroarch

Affected ranges

Type
GIT
Repo
https://github.com/libretro/retroarch
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:libretro:retroarch:1.18.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:libretro:retroarch:1.19.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:libretro:retroarch:1.20.0:*:*:*:*:*:*:*"
    ],
    "source": [
        "CPE_STRING",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "1.18.0"
        },
        {
            "last_affected": "1.18.0"
        },
        {
            "introduced": "1.19.0"
        },
        {
            "last_affected": "1.19.0"
        },
        {
            "introduced": "1.20.0"
        },
        {
            "last_affected": "1.20.0"
        }
    ]
}

Affected versions

1.*
1.18.0
1.19.0
1.20.0
v1.*
v1.18.0
v1.19.0
v1.19.1
v1.20.0

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/libretro/retroarch/commit/baee906ef35b99283f9a1a060a2ce5ac86159b63",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "162130292249561628995292910053568097266",
                "104233414859600926999355377536257743004",
                "275555340370035838723121499190249855421",
                "31197233573006035040717687183948115921",
                "179004751844918075094493772847165307698",
                "113764577284056271462296503714666276514",
                "304309488201460837403500241858649070972",
                "20630829578703174806765896117201432299",
                "58173172064838131176129572744920503960",
                "142390608580966376141626708518646052222",
                "270758395646241429422823373288930668189",
                "39501854110945206812773579996634961403",
                "163347918905136091178195296640668855307",
                "287938170996493099903981548407640795903",
                "44448250689535972117553601694729305418",
                "126121228482533360863180728672447905076",
                "180275390088060099664797986433919036345",
                "80889267640754184463047191182237461458",
                "122068585085273247580325221214005376697",
                "94873290190405394063290521134034228729",
                "142934264361897551883884569450713268604",
                "304177897816737473887252941963450717486",
                "224313558672437982068575275592983905576",
                "176210693052513318015081939572385856682",
                "153634750677366415484112833044766923111",
                "174773008867821174327371414093428875635",
                "297269679670223725786803897610248047519",
                "326078679690443017672003420142674106794",
                "109567567707342438988479472337046410363",
                "20104757887562145648916406276428825158",
                "304227438736338361059540722670052425985",
                "331607367363649912258744977498644487627",
                "13383025752378841293157691675998985513",
                "29427642055489523561171925055080975334",
                "20015585946893174619669504507583515691",
                "136886405544586818238068869992195225694",
                "36029107567929509503560949576417973926",
                "148779020000975884667708686495359107116",
                "104474807874479018672964192187079292255",
                "248458335180776126300305986067560779747",
                "230483819337565089079293492318522142384",
                "173020016269616863497426203858235537161",
                "146073547200348231750333216744664309819",
                "289885284131664385753345928692266892932",
                "89415806950232637874450181197379595780",
                "312130838917650859996758762281285512103",
                "247787824796290150835911388198624496781",
                "203999560540548640633351556583957560325",
                "118446566762895884438628635630548680497",
                "167967182833807986250345722623724727732",
                "239629158866681684129302459334651585174",
                "60079397004960820303804168722131507725",
                "275024496457848631741583414247788920079",
                "204295953773835827066980120075032389518",
                "279821375572813404350032540922526442034",
                "48717913420204460721871840063009104013",
                "283408245334051739119623992764613810821",
                "3870256925316747954190771692710440088",
                "85827202543500371738429792067590793020",
                "209517369757264857556424792308807876364",
                "214552464714877324698719240883313247789",
                "225897069819641669169447649255054956646",
                "166022520763623461409595337004150080049",
                "234201375690433364581198449630371524917",
                "117327837902705506101186742689669922130",
                "132034518603959268472300395364928905351",
                "79557829758576537697284163404676134648",
                "102075902844047038559443845588552465448",
                "161175829640817765166057062327461038546",
                "285273693728677811726151746144742474774",
                "281065099595218720617967543612199686757",
                "230606646705705852434134144432791411853",
                "289106673939788233649249453453484157044",
                "152062647520893244723832858750988776663",
                "53113419180698156306913118155927766346",
                "144508902598136657929227792907641403294",
                "58887346544642054996297585803328825947",
                "65563254033639000419934020853189711186",
                "240305624807290968682462615858840191369",
                "337619581966343291557998196676479733226"
            ]
        },
        "id": "CVE-2025-9136-ff273b6a",
        "signature_type": "Line",
        "target": {
            "file": "intl/msg_hash_sv.h"
        }
    }
]
vanir_signatures_modified
"2026-07-15T20:06:20Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9136.json"