Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local attack vector, low privileges to run the tool, no scope change, and only availability impact consistent with a crash from integer overflow.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in radareorg radare2 up to 6.1.6. The affected element is the function r_str_ndup/r_str_append of the file libr/util/str.c. The manipulation leads to integer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The identifier of the patch is a20a56917ae85d732e683f8d9078bdcfee92446c. Applying a patch is the recommended action to fix this issue.
AnalysisAI
Integer overflow in radare2's string utility library affects versions up to 6.1.6, allowing a local low-privileged attacker to crash the application through manipulated input processed by r_str_ndup or r_str_append in libr/util/str.c. The impact is limited to availability - no confidentiality or integrity compromise is confirmed by the CVSS 4.0 vector (VC:N/VI:N/VA:L). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires local access to a system where radare2 is installed, with at least low-privilege execution rights (PR:L per CVSS 4.0). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The overall risk is very low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A local attacker with low-privilege access on a system running radare2 crafts malicious input - such as a specially structured binary or string argument - that triggers the integer overflow in r_str_ndup or r_str_append during processing. The overflow causes an incorrect memory size calculation, leading to a crash of the radare2 process. … |
| Remediation | The upstream fix is available as commit a20a56917ae85d732e683f8d9078bdcfee92446c in the radare2 GitHub repository (https://github.com/radareorg/radare2/commit/a20a56917ae85d732e683f8d9078bdcfee92446c); however, no tagged release version incorporating this fix has been independently confirmed from the available intelligence - treat this as an upstream fix available via source, with a formally released patched version not yet verified. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32 function of libr/arch/p/nds32/nds32-dis.h
An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32_fpu function of libr/arch/p/nds32/nds32-d
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. Rated critical severity (CVSS 9.8), th
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to exe
Out-of-bounds Read in GitHub repository radareorg/radare2 prior to 5.7.0. Rated critical severity (CVSS 9.1), this vulne
Out-of-bounds Read in r_bin_ne_get_entrypoints function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated cri
Out-of-bounds read in `r_bin_ne_get_relocs` function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated critic
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. Rated high severity (CVSS 8.8), this v
Command injection in radare2's PDB parser (versions <6.1.4) enables arbitrary command execution when analysts process ma
In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and store_versioninfo_gnu_ve
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo
Same weakness CWE-189 – Numeric Errors
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41771
GHSA-q4m4-82h9-qfgv