CVE-2025-9688

NameCVE-2025-9688
DescriptionA security vulnerability has been detected in Mupen64Plus up to 2.6.0. The affected element is the function write_is_viewer of the file src/device/cart/is_viewer.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been disclosed publicly and may be used. The identifier of the patch is 3984137fc0c44110f1ef876adb008885b05a6e18. To fix this issue, it is recommended to deploy a patch.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mupen64plus-core (PTS)bullseye2.5-7vulnerable
bookworm2.5.9+341+gf82b37bf-1vulnerable
forky, sid, trixie2.6.0-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mupen64plus-coresource(unstable)(unfixed)unimportant

Notes

https://github.com/Giles-one/mupen64plusEscape/tree/main/BUG10
https://github.com/mupen64plus/mupen64plus-core/commit/3984137fc0c44110f1ef876adb008885b05a6e18
Negligible security impact
Search for package or bug name: Reporting problems