CVE-2026-39199

NameCVE-2026-39199
Descriptionsnes9x 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140481

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libretro-snes9x (PTS)bullseye/non-free1.53+git20160522-1vulnerable
bookworm/non-free1.61+dfsg-1vulnerable
forky/non-free, sid/non-free, trixie/non-free1.63+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libretro-snes9xsource(unstable)(unfixed)1140481

Notes

[trixie] - libretro-snes9x <no-dsa> (non-free not supported)
https://karansaini.com/snes9x-oob-write/
https://github.com/snes9xgit/snes9x/issues/1035
https://github.com/snes9xgit/snes9x/commit/96b366100172723f6314c40e237b370f4f7b59f4
Search for package or bug name: Reporting problems