A security vulnerability has been detected in Mupen64Plus up to 2.6.0. The affected element is the function write_is_viewer of the file src/device/cart/is_viewer.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
I guess this is a fully automatic process and no one really looked at it, correct? The possibility "to initiate the attack remotely" is probably nonsense but there are issues in the emulator which allow host side code execution when loading a malicious ROM. Another CVE but I believe this one is already fixed in one of the linked PRs: https://github.com/mupen64plus/mupen64plus-core/issues/1146
Started a new discussion upstream to get some more context: https://github.com/mupen64plus/mupen64plus-core/issues/1149#issuecomment-3287379037 Patches in openbsd: https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/emulators/mupen64plus/core/patches/