CVE-2026-9539

MEDIUM 6.5

libslirp TCP URG OOB Read Information Leak

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).

CWE	CWE-125
Vendor	freedesktop.org
Product	libslirp
Published	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for freedesktop.org libslirp

Be the first to know when new medium vulnerabilities affecting freedesktop.org libslirp are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

freedesktop.org / libslirp

0 < 4.9.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gitlab.freedesktop.org: https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93 gitlab.freedesktop.org: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/927bca7344e31fd58e2f7afaca784aad4400eb84 gitlab.freedesktop.org: https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.9.2

Credits

Bruce Chen of STAR Labs SG Pte. Ltd. Shi Weiming of STAR Labs SG Pte. Ltd.