Skip to main content
CVE-2026-14761 LOW Monitor

Integer overflow in radare2's string utility library affects versions up to 6.1.6, allowing a local low-privileged attacker to crash the application through manipulated input processed by r_str_ndup or r_str_append in libr/util/str.c. The impact is limited to availability - no confidentiality or integrity compromise is confirmed by the CVSS 4.0 vector (VC:N/VI:N/VA:L). Publicly available exploit code exists (CVSS 4.0 E:P), though no active exploitation is confirmed and the vulnerability is not listed in the CISA KEV catalog.

Information Disclosure Radare2
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14758 LOW Monitor

Integer overflow in radare2's hexpairs parser crashes the process for local low-privilege users on versions up to 6.1.6. The flaw exists in the `cmd_anal_opcode` function within `libr/core/cmd_anal.inc.c` and produces only a low availability impact with no confidentiality or integrity consequences. Publicly available exploit code exists, but the local-only attack vector and trivial impact class make this a low-priority finding for most deployments. No active exploitation has been confirmed and this vulnerability is not listed in CISA KEV.

Buffer Overflow Radare2
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-14757 LOW Monitor

Integer overflow in radare2's binary analysis function exposes local users on systems running version 6.1.6 or earlier to limited confidentiality, integrity, and availability impacts. The flaw resides in the `core_anal_bytes` function within `libr/core/cmd_anal.inc` and requires only low-privilege local access to trigger via crafted binary input. A public proof-of-concept exploit has been disclosed, though no confirmed active exploitation (CISA KEV) is recorded; the CVSS 4.0 score of 1.9 reflects the tightly constrained local-only attack surface and limited impact scope.

Information Disclosure Radare2
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy