CVE-2026-4753
Out-of-Bounds Read in slajerek RetroDebugger Before v
Publication date: 2026-03-24
Last updated on: 2026-05-05
Assigner: Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| slajerek | retrodebugger | to 0.64.72 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds read issue in the RetroDebugger software, specifically in the `unescape()` function located in the file `src/Emulators/vice/monitor/mon_lex.c`. The vulnerable code was originally copied from GNU Aspell but did not include the security patch that fixed a similar issue in GNU Aspell (CVE-2019-17544). The vulnerability allows the program to read memory outside the intended bounds, which can lead to security risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is an out-of-bounds read in the `unescape()` function of RetroDebugger before version 0.64.72. Detection would involve identifying if the vulnerable version of RetroDebugger is present on your system.
You can check the installed version of RetroDebugger by running a command such as:
- retrodebugger --version
If the version is earlier than 0.64.72, the system is potentially vulnerable.
Additionally, since this is a local software vulnerability rather than a network service, network detection commands are not directly applicable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update RetroDebugger to version 0.64.72 or later, where the out-of-bounds read vulnerability in the `unescape()` function has been fixed.
If updating is not immediately possible, avoid processing untrusted input that could trigger the vulnerable `unescape()` function.
Applying the patch from the RetroDebugger pull request #97, which synchronizes the code with the fixed GNU Aspell version, will also mitigate the issue.
How can this vulnerability impact me? :
The impact of this vulnerability is significant as indicated by its CVSS score of 9.1. It allows an attacker to perform an out-of-bounds read, which can lead to high confidentiality and availability impacts. This means sensitive information could be exposed and the affected system could become unstable or crash, potentially disrupting normal operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know