CVE-2025-9809: 
Linux Debian vulnerability analysis and mitigation

Out-of-bounds write vulnerability (CVE-2025-9809) was discovered in the cdfsopencue_track function of libretro libretro-common's latest version. The vulnerability affects all platforms and was disclosed on September 1, 2025. The issue exists in the CDFS .cue file parser component, which fails to properly validate file path lengths (NVD, GitHub Issue).

The vulnerability is classified as CWE-787 (Out-of-bounds Write) with a CVSS v4.0 Base Score of 8.4 (High). The issue occurs in the cdfsopencuetrack function where a memcpy operation copies file path data without proper length validation, potentially exceeding the PATHMAX_LENGTH buffer size. The vulnerability vector is CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating local access with low attack complexity (NVD, AttackerKB).

The vulnerability allows remote attackers to execute arbitrary code through a specially crafted .cue file. When exploited, the buffer overflow can lead to code execution in the context of the application processing the malicious .cue file (GitHub Issue).

The recommended mitigation is to limit the memcpy size to PATHMAXLENGTH - 1 and ensure null termination of the buffer. This prevents the buffer overflow condition by properly validating input lengths before copying data (GitHub Issue).