CVE-2025-9136: 
Linux Debian vulnerability analysis and mitigation

A flaw has been found in libretro RetroArch versions 1.18.0, 1.19.0, and 1.20.0 affecting the filestreamvscanf function in the libretro-common/streams/filestream.c file. The vulnerability was discovered by Simcha Kosman from CyberArk Labs and was disclosed on February 11, 2025 (Github PR).

The vulnerability causes an out-of-bounds read in the filestream_vscanf function due to improper initialization of variables. The issue has been assigned CVE-2025-9136 and received a CVSS v4.0 score of 4.8 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N. The vulnerability is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read) (NVD).

The vulnerability allows for out-of-bounds read operations which could potentially lead to information disclosure or application crashes. The attack requires local access to be executed (VulDB).

The vulnerability has been fixed in RetroArch version 1.21.0. Users are recommended to upgrade to this version to mitigate the security risk. The fix involves properly initializing variables in the affected function (Github Release).