Linux Distros Unpatched Vulnerability : CVE-2025-9688

🗓️ 04 Sep 2025 00:00:00Reported by TenableType

Linux hosts unpatched Mupen64Plus CVE-2025-9688 allows remote integer overflow in write_is_viewer.

Reporter	Title	Published	Views	Family All 22
AlpineLinux	CVE-2025-9688	30 Aug 202512:32	–	alpinelinux
CNNVD	Mupen64Plus 安全漏洞	30 Aug 202500:00	–	cnnvd
CVE	CVE-2025-9688	30 Aug 202512:32	–	cve
Cvelist	CVE-2025-9688 Mupen64Plus is_viewer.c write_is_viewer integer overflow	30 Aug 202512:32	–	cvelist
Debian CVE	CVE-2025-9688	30 Aug 202512:32	–	debiancve
EUVD	EUVD-2025-26270	3 Oct 202520:07	–	euvd
Fedora	[SECURITY] Fedora 41 Update: mupen64plus-2.6.0-8.fc41	7 Nov 202502:36	–	fedora
Fedora	[SECURITY] Fedora 42 Update: mupen64plus-2.6.0-8.fc42	7 Nov 202501:33	–	fedora
Tenable Nessus	Fedora 41 : mupen64plus (2025-2406078e57)	7 Nov 202500:00	–	nessus
Tenable Nessus	Fedora 42 : mupen64plus (2025-7a40e176ed)	7 Nov 202500:00	–	nessus

Source	Link
security-tracker	www.security-tracker.debian.org/tracker/CVE-2025-9688
ubuntu	www.ubuntu.com/security/CVE-2025-9688
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(261198);
  script_version("1.7");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/21");

  script_cve_id("CVE-2025-9688");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2025-9688");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - A security vulnerability has been detected in Mupen64Plus up to 2.6.0. The affected element is the
    function write_is_viewer of the file src/device/cart/is_viewer.c. The manipulation leads to integer
    overflow. It is possible to initiate the attack remotely. The attack is considered to have high
    complexity. The exploitability is described as difficult. The exploit has been disclosed publicly and may
    be used. The identifier of the patch is 3984137fc0c44110f1ef876adb008885b05a6e18. To fix this issue, it is
    recommended to deploy a patch. (CVE-2025-9688)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2025-9688");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2025-9688");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-9688");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2025-9688");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/08/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/09/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:12.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:13.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:14.0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mupen64plus-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mupen64plus-core");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Debian Linux-11", "Host/OS/Debian Linux-12", "Host/OS/Debian Linux-13", "Host/OS/Debian Linux-14", "Host/OS/Ubuntu Linux-16.04", "Host/OS/Ubuntu Linux-18.04", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.04", "Host/OS/Ubuntu Linux-25.10");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Debian Linux-11": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "11",
        "pkgs": [
          {"reference": "libmupen64plus-dev"},
          {"reference": "libmupen64plus2"},
          {"reference": "mupen64plus-data"}
        ]
      }
    ]
  },
  "Debian Linux-12": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "12",
        "pkgs": [
          {"reference": "libmupen64plus-dev"},
          {"reference": "libmupen64plus2"},
          {"reference": "mupen64plus-data"}
        ]
      }
    ]
  },
  "Debian Linux-13": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "13",
        "pkgs": [
          {"reference": "libmupen64plus-dev"},
          {"reference": "libmupen64plus2"},
          {"reference": "mupen64plus-data"}
        ]
      }
    ]
  },
  "Debian Linux-14": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "14",
        "pkgs": [
          {"reference": "libmupen64plus-dev"},
          {"reference": "libmupen64plus2"},
          {"reference": "mupen64plus-data"}
        ]
      }
    ]
  },
  "Ubuntu Linux-16.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "16.04",
        "pkgs": [
          {"reference": "mupen64plus-core"}
        ]
      }
    ]
  },
  "Ubuntu Linux-18.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "18.04",
        "pkgs": [
          {"reference": "mupen64plus-core"}
        ]
      }
    ]
  },
  "Ubuntu Linux-20.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "20.04",
        "pkgs": [
          {"reference": "mupen64plus-core"}
        ]
      }
    ]
  },
  "Ubuntu Linux-22.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "22.04",
        "pkgs": [
          {"reference": "mupen64plus-core"}
        ]
      }
    ]
  },
  "Ubuntu Linux-24.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "24.04",
        "pkgs": [
          {"reference": "mupen64plus-core"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.04",
        "pkgs": [
          {"reference": "mupen64plus-core"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "mupen64plus-core"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

21 May 2026 00:00Current

5.3Medium risk

Vulners AI Score5.3

CVSS 42.3

CVSS 3.15

CVSS 25.1

CVSS 35

EPSS0.00074

SSVC