CVE-2025-9688

MEDIUM

Mupen64Plus <2.6.0 - Memory Corruption

Title source: llm

Description

A security vulnerability has been detected in Mupen64Plus up to 2.6.0. The affected element is the function write_is_viewer of the file src/device/cart/is_viewer.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been disclosed publicly and may be used. The identifier of the patch is 3984137fc0c44110f1ef876adb008885b05a6e18. To fix this issue, it is recommended to deploy a patch.

References (5)

Core 5

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.321900

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.321900

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.638592

Various Sources exploit

https://github.com/Giles-one/mupen64plusEscape/tree/main/BUG10

Patch patch

https://github.com/mupen64plus/mupen64plus-core/commit/3984137fc0c44110f1ef876adb008885b05a6e18

View Patch ZIP pw:eip

Scores

CVSS v3 5.0

EPSS 0.0026

EPSS Percentile 16.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-189 CWE-190

Status published

Products (7)

n/a/Mupen64Plus 2.0

n/a/Mupen64Plus 2.1

n/a/Mupen64Plus 2.2

n/a/Mupen64Plus 2.3

n/a/Mupen64Plus 2.4

n/a/Mupen64Plus 2.5

n/a/Mupen64Plus 2.6.0

Published Aug 30, 2025

Tracked Since Feb 18, 2026