snes9x
CVE-2026-39199
LOW
Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
UI:R added because user must actively apply the crafted .ups file; I:L added since CWE-787 out-of-bounds write implies at least minor memory integrity impact beyond pure DoS.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
snes9x 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file.
AnalysisAI
Out-of-bounds write in snes9x 1.63's UPS patch file parser allows a crafted .ups ROM patch file to trigger memory corruption and a denial-of-service crash. The flaw resides in the ReadUPSPatch loop in memmap.cpp, where the loop iterator relative was not bounded against CMemory::MAX_ROM_SIZE, permitting writes past the end of the allocated ROM buffer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a user manually applies a crafted .ups patch file through snes9x's ROM patching functionality - the attacker cannot trigger the vulnerability without user action to open or apply the malicious file. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is low based on converging signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious .ups ROM patch file engineered so that the `relative` offset variable increments past CMemory::MAX_ROM_SIZE during the ReadUPSPatch loop, writing data beyond the ROM buffer boundary. The attacker distributes the file via a ROM hacking forum, Discord server, or social media post, enticing an snes9x 1.63 user to apply the patch to a legitimate ROM - causing a crash or memory corruption when the emulator processes the file. … |
| Remediation | An upstream fix is available via commit 96b366100172723f6314c40e237b370f4f7b59f4 on the snes9x GitHub repository (https://github.com/snes9xgit/snes9x/commit/96b366100172723f6314c40e237b370f4f7b59f4); however, a formally released patched version is not independently confirmed from the available data - users should check https://github.com/snes9xgit/snes9x/releases for a tagged release incorporating this commit. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today