Skip to main content

libslirp CVE-2026-9539

| EUVDEUVD-2026-38654 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-24 STAR_Labs GHSA-4243-hp56-4m7f
6.5
CVSS 3.1 · Vendor: STAR_Labs
Share

Severity by source

Vendor (STAR_Labs) PRIMARY
6.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

AV:L because exploit originates inside guest VM; S:C for cross-VM-to-host boundary; PR:L for required guest root/CAP_NET_RAW; C:H for heap leak; I:N and A:N as impact is read-only.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative

Primary rating from Vendor (STAR_Labs).

CVSS VectorVendor: STAR_Labs

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 05:34 vuln.today

DescriptionCVE.org

An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).

AnalysisAI

Out-of-bounds heap read and integer underflow in libslirp's TCP urgent data handler (sosendoob) exposes gigabytes of host process heap memory to a privileged guest VM attacker. All libslirp releases before v4.9.2, as embedded in hypervisors such as QEMU, are affected when guest workloads hold root or CAP_NET_RAW privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain root or CAP_NET_RAW inside guest VM
Delivery
Craft TCP segments with malformed URG flags and ti_urp values
Exploit
Send segments to libslirp sosendoob() on host
Execution
Trigger integer underflow in urgent pointer calculation
Persist
Host performs out-of-bounds heap read
Impact
Exfiltrate gigabytes of host process memory

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold root or CAP_NET_RAW privileges inside a guest VM running on a host that uses libslirp before v4.9.2 for user-space network emulation (e.g., QEMU with the default user-mode networking backend). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) is technically sound but operationally understates the cross-boundary impact in multi-tenant environments: S:C signals the exploit crosses the guest-to-host boundary, and C:H confirms the full confidentiality impact on host process memory. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a guest VM with root or CAP_NET_RAW privileges writes a tool that repeatedly sends TCP segments with crafted URG flags and computed ti_urp values designed to underflow the urgent pointer arithmetic in libslirp's sosendoob() on the host. Each crafted segment causes the host process to read beyond the intended heap buffer boundary, and the returned data - accumulated over many requests - leaks gigabytes of host memory potentially containing co-tenant VM data, TLS session keys, or credentials held in the hypervisor process. …
Remediation The primary remediation is to upgrade libslirp to v4.9.2 or later, available at https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.9.2; the specific fix is tracked in commit 927bca7344e31fd58e2f7afaca784aad4400eb84 at https://gitlab.freedesktop.org/slirp/libslirp/-/commit/927bca7344e31fd58e2f7afaca784aad4400eb84. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-1983 MEDIUM POC
6.5 Apr 22

A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets t

CVE-2019-14378 HIGH POC
8.8 Jul 29

ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a cas

CVE-2020-29130 MEDIUM POC
4.3 Nov 26

slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even i

CVE-2020-7211 HIGH
7.5 Jan 21

tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. Rated high severit

CVE-2019-15890 HIGH
7.5 Sep 06

libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. Rated high severity (CVSS 7.5), t

CVE-2020-10756 MEDIUM
6.5 Jul 09

An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. Rated medium

CVE-2020-8608 MEDIUM
5.6 Feb 06

In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in lat

CVE-2020-7039 MEDIUM
5.6 Jan 16

tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands i

CVE-2020-29129 MEDIUM
4.3 Nov 26

ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if

CVE-2021-3595 LOW
3.8 Jun 15

An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CV

CVE-2021-3594 LOW
3.8 Jun 15

An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CV

CVE-2021-3593 LOW
3.8 Jun 15

An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. Rated low severity (CV

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Micro 5.3 Affected
SUSE Linux Enterprise Micro 5.4 Affected
SUSE Linux Enterprise Micro 5.5 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected

Share

CVE-2026-9539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy