Skip to main content

snes9x CVE-2026-39199

LOW
Out-of-bounds Write (CWE-787)
2026-06-17 mitre
2.9
CVSS 3.1 · Vendor: mitre

Severity by source

Vendor (mitre) PRIMARY
2.9 LOW
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
vuln.today AI
3.6 LOW

UI:R added because user must actively apply the crafted .ups file; I:L added since CWE-787 out-of-bounds write implies at least minor memory integrity impact beyond pure DoS.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
4.0 AV:L/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 17, 2026 - 18:01 vuln.today
Analysis Generated
Jun 17, 2026 - 18:01 vuln.today

DescriptionCVE.org

snes9x 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file.

AnalysisAI

Out-of-bounds write in snes9x 1.63's UPS patch file parser allows a crafted .ups ROM patch file to trigger memory corruption and a denial-of-service crash. The flaw resides in the ReadUPSPatch loop in memmap.cpp, where the loop iterator relative was not bounded against CMemory::MAX_ROM_SIZE, permitting writes past the end of the allocated ROM buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious .ups patch file
Delivery
Host or deliver file to target user
Exploit
User opens snes9x 1.63 and applies crafted patch
Execution
ReadUPSPatch loop writes past ROM buffer boundary
Impact
Out-of-bounds memory write triggers crash (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that a user manually applies a crafted .ups patch file through snes9x's ROM patching functionality - the attacker cannot trigger the vulnerability without user action to open or apply the malicious file. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is low based on converging signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious .ups ROM patch file engineered so that the `relative` offset variable increments past CMemory::MAX_ROM_SIZE during the ReadUPSPatch loop, writing data beyond the ROM buffer boundary. The attacker distributes the file via a ROM hacking forum, Discord server, or social media post, enticing an snes9x 1.63 user to apply the patch to a legitimate ROM - causing a crash or memory corruption when the emulator processes the file. …
Remediation An upstream fix is available via commit 96b366100172723f6314c40e237b370f4f7b59f4 on the snes9x GitHub repository (https://github.com/snes9xgit/snes9x/commit/96b366100172723f6314c40e237b370f4f7b59f4); however, a formally released patched version is not independently confirmed from the available data - users should check https://github.com/snes9xgit/snes9x/releases for a tagged release incorporating this commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy