Description
An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).
Published: 2026-06-24
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in freedesktop.org libslirp allows an out‑of‑bounds heap read and integer underflow during TCP urgent data handling. By sending crafted TCP segments that manipulate the URG flag and urgent pointer, an attacker can read up to gigabytes of host heap memory. The exposed data may include sensitive information such as credentials or cryptographic material, representing a confidentiality breach (CWE‑125). The CVSS score of 6.5 reflects that the impact is limited to data leakage rather than direct control or denial.

Affected Systems

The vulnerability exists in libslirp versions before v4.9.2. Hosts running the library in hyper‑visor environments such as QEMU are affected. No mention of newer major releases indicates that only older builds are vulnerable.

Risk and Exploitability

Exploitation requires a privileged guest VM attacker with root or CAP_NET_RAW capabilities to send the malicious packets. The flaw is not listed in CISA KEV, and no EPSS score is available, suggesting no documented exploitation yet. Given the need for host‑level privileges and the data‑leak nature, the overall risk is moderate until the package is updated.

Generated by OpenCVE AI on June 24, 2026 at 09:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libslirp to version 4.9.2 or later from the official Freedesktop release.
  • If an upgrade is not immediately possible, apply the commit 927bca7344e31fd58e2f7afaca784aad4400eb84 to patch the vulnerable code or rebuild libslirp with the updated source.
  • Restrict VM guest privileges by removing CAP_NET_RAW or lowering the attacker’s capabilities, so that privileged guests cannot send arbitrary TCP segments with URG flags to the host.

Generated by OpenCVE AI on June 24, 2026 at 09:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Freedesktop.org
Freedesktop.org libslirp
Vendors & Products Freedesktop.org
Freedesktop.org libslirp

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Description An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).
Title libslirp TCP URG OOB Read Information Leak
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}


Subscriptions

Freedesktop.org Libslirp
cve-icon MITRE

Status: PUBLISHED

Assigner: STAR_Labs

Published:

Updated: 2026-06-24T12:39:59.831Z

Reserved: 2026-05-26T02:36:53.227Z

Link: CVE-2026-9539

cve-icon Vulnrichment

Updated: 2026-06-24T12:39:56.720Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:05:09Z

Weaknesses