{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "4.9.2"
              }
            ],
            "source": "AFFECTED_FIELD"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "97b325339a1377249e68e6c58e9c15a6e1bba4c1"
            }
          ],
          "repo": "https://gitlab.freedesktop.org/slirp/libslirp",
          "type": "GIT"
        }
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "STAR_Labs",
    "cwe_ids": [
      "CWE-125"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9539.json"
  },
  "details": "An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).",
  "id": "CVE-2026-9539",
  "modified": "2026-07-15T01:49:11.881027400Z",
  "published": "2026-06-24T04:37:01.955Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9539.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://gitlab.freedesktop.org/slirp/libslirp/-/releases/v4.9.2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9539"
    },
    {
      "type": "REPORT",
      "url": "https://gitlab.freedesktop.org/slirp/libslirp/-/work_items/93"
    },
    {
      "type": "FIX",
      "url": "https://gitlab.freedesktop.org/slirp/libslirp/-/commit/927bca7344e31fd58e2f7afaca784aad4400eb84"
    },
    {
      "type": "PACKAGE",
      "url": "https://gitlab.freedesktop.org/slirp/libslirp/"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "libslirp TCP URG OOB Read Information Leak"
}