Description
snes9x 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file.
Published: 2026-06-17
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Snes9X 1.63 is vulnerable to an out‑of‑bounds write that can be triggered by a specially crafted .ups file. The defect occurs when the emulator parses the file’s data fields, allowing the write to extend beyond the allocated buffer. This memory corruption leads to a crash of the application, resulting in a denial of service. The weakness is identified as Dangerous Out‑of‑Bounds Write (CWE‑787) and does not provide code execution or data disclosure.

Affected Systems

Affected systems include any installation of Snes9X 1.63. The vulnerability arises from the emulator’s handling of .ups patch files, so users running this exact version on Windows, macOS, or Linux are at risk. No other versions or releases are currently identified as affected.

Risk and Exploitability

The CVSS score of 2.9 categorizes the flaw as low severity, and the EPSS value of < 1% indicates a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is local, requiring a user to supply a malicious .ups file to the emulator; remote exploitation is not described. An attacker could crash the emulator during use, causing interruption of the user’s activity but no compromise of system integrity or data.

Generated by OpenCVE AI on June 18, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Snes9X update or the vendor‑supplied patch that resolves the out‑of‑bounds write in version 1.63.
  • Validate the integrity and format of any .ups file before loading it; reject files that deviate from the expected header or size limits.
  • Run the emulator with the minimum necessary privileges and, if possible, in a sandboxed environment to contain any crash‑induced denial of service.

Generated by OpenCVE AI on June 18, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Out-of-Bounds Write and Denial of Service via Crafted .Ups Files in Snes9X 1.63

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Description snes9x 1.63 allows an out-of-bounds write and denial of service via a crafted .ups file.
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-17T18:10:14.213Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-39199

cve-icon Vulnrichment

Updated: 2026-06-17T18:10:11.429Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:00:11Z

Weaknesses