Ubuntu flags RetroArch CVE, buffer overflow could enable code execution

Ubuntu RetroArch users on 24.04 LTS and 25.10 need to check their package now. Ubuntu’s USN-8166-1, published April 12, 2026, marked CVE-2025-9809 as high priority and said a specially crafted file could make RetroArch crash or run programs as the logged-in user.

The flaw sits in libretro-common’s CDFS .cue parser, where Ubuntu describes an out-of-bounds write in cdfs_open_cue_track. In practical terms, a malicious .cue file with a path that runs past PATH_MAX_LENGTH can overflow a fixed-size buffer and trigger arbitrary code execution. The GitHub issue tied to the bug gives the same core warning in more direct language: memcpy(current_track_path, file, file_end - file) can write beyond the destination buffer, and an overly long FILE path can cause a stack-based buffer overflow.

That matters because RetroArch is not just a launcher sitting on the edge of a system. It is the frontend many people use to manage emulators, game engines, media playback, playlists, thumbnails, shaders, save states, and ROM libraries. A bad file does not have to look like a game image to be dangerous. If a download, community pack, or imported archive includes a crafted cue sheet, the vulnerable code path can be reached during a routine open.

Ubuntu says the issue affects Ubuntu 24.04 LTS, noble, and Ubuntu 25.10, questing. For 25.10, the fixed builds are retroarch 1.20.0+dfsg-3ubuntu0.1 and retroarch-dev 1.20.0+dfsg-3ubuntu0.1. For 24.04 LTS, Ubuntu lists Ubuntu Pro and ESM Apps fixes as retroarch 1.18.0+dfsg-1ubuntu0.1~esm1 and retroarch-dev 1.18.0+dfsg-1ubuntu0.1~esm1.

Ubuntu’s CVE status also shows retroarch needing evaluation on 22.04 LTS, 20.04 LTS, and 18.04 LTS, while 25.04 was ignored because it is end-of-life. The practical move for Ubuntu users is simple: compare the installed RetroArch package against the fixed version for the release you are running, then update as soon as the patched build is available through Ubuntu’s normal package channels.

RetroArch says the project has been around since 2012 and runs on Windows, Mac OS X, Linux, Android, and several game consoles. That reach is part of the appeal, but it is also why the security posture matters. For preservation-minded players, the lesson is blunt: the frontend that protects your library also needs protection of its own.