CVE-2025-9809: 
Linux Debian vulnerability analysis and mitigation

Out-of-bounds write vulnerability (CVE-2025-9809) was discovered in the cdfsopencue_track function within libretro libretro-common's latest version. The vulnerability was disclosed on September 1, 2025, affecting all platforms running the software. This security flaw allows remote attackers to execute arbitrary code through a specially crafted .cue file (NVD).

The vulnerability stems from an improper buffer handling in the cdfsopencuetrack function where a memcpy operation uses unchecked source size that may exceed the destination buffer's PATHMAX_LENGTH limit. The vulnerability has been assigned a CVSS v4.0 base score of 8.4 (HIGH) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. It is classified as CWE-787 (Out-of-bounds Write) (NVD, Github Issue).

When successfully exploited, this vulnerability allows attackers to execute arbitrary code on the affected system through a specially crafted .cue file. The high severity score indicates significant potential impact on system security, particularly concerning code execution capabilities (Github Issue).

The recommended mitigation is to limit the memcpy size to PATHMAXLENGTH - 1 and ensure null termination of the buffer. Users should update their systems once a patch is available (Github Issue).