CVE-2025-9136 is a medium-severity vulnerability identified in the libretro RetroArch software versions 1.18.0, 1.19.0, and 1.20.0. RetroArch is a popular open-source frontend for emulators, game engines, and media players, widely used for retro gaming. The vulnerability resides in the filestream_vscanf function within the file libretro-common/streams/file_stream.c. Specifically, this flaw causes an out-of-bounds read condition, which occurs when the function improperly handles input data, leading to reading memory outside the intended buffer boundaries. This type of vulnerability can potentially lead to information disclosure or application instability. However, exploitation requires local access with at least low privileges (PR:L) and does not require user interaction (UI:N). The attack vector is local (AV:L), meaning an attacker must have access to the system to trigger the flaw. The vulnerability does not involve network exposure or remote exploitation. The CVSS 4.0 base score is 4.8, reflecting a medium severity level, considering the limited attack vector and privileges required. The vulnerability does not have known exploits in the wild as of the publication date. The recommended mitigation is upgrading RetroArch to version 1.21.0, where the issue has been addressed. No additional patches or workarounds are indicated in the provided information.

For European organizations, the impact of CVE-2025-9136 is relatively limited due to the local attack vector and the requirement for low-level privileges on the affected system. However, organizations that use RetroArch in environments where multiple users have access, such as gaming cafes, educational institutions, or shared workstations, could face risks of information leakage or application crashes caused by this out-of-bounds read. While the vulnerability does not directly enable remote code execution or privilege escalation, it could be leveraged as part of a multi-stage attack if combined with other vulnerabilities. The impact on confidentiality is low to medium, as out-of-bounds reads may expose sensitive memory contents. Integrity and availability impacts are low but could manifest as application instability or crashes. Since RetroArch is primarily used for gaming and media playback, critical infrastructure impact is minimal. Nonetheless, organizations with strict security policies or those integrating RetroArch into custom workflows should consider the vulnerability seriously.

European organizations should promptly upgrade all instances of RetroArch to version 1.21.0 or later to fully remediate the vulnerability. Given the local attack vector, organizations should also enforce strict access controls on systems running RetroArch, limiting user privileges and preventing untrusted users from executing or manipulating the software. Implementing application whitelisting and monitoring for unusual local activity related to RetroArch can help detect potential exploitation attempts. Additionally, organizations should audit shared or multi-user environments where RetroArch is installed to ensure that only authorized personnel have access. Regularly reviewing and updating software inventory and patch management processes to include RetroArch and similar applications will reduce exposure to such vulnerabilities. Finally, educating users about the risks of running untrusted files or scripts within RetroArch can further mitigate exploitation risks.