Which versions of radare2 are affected by CVE-2026-8695?

CVE-2026-8695 is a high-severity use-after-free vulnerability in radare2 6.1.5's GDB remote debugging interface that allows remote attackers to crash the application or execute arbitrary code by…. A patch is available.

radare2 CVE-2026-8695

Q: What is the CVSS score of CVE-2026-8695?

CVE-2026-8695 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.3%.

EUVD-2026-30573 HIGH

Use After Free (CWE-416)

2026-05-15 VulnCheck

GHSA-jrmh-3vm7-w5m4

RCE Buffer Overflow Denial Of Service Use After Free Memory Corruption Suse

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 15, 2026 - 17:32 vuln.today

Analysis Generated

May 15, 2026 - 17:32 vuln.today

CVSS changed

May 15, 2026 - 17:22 NVD

7.5 (HIGH) 8.7 (HIGH)

DescriptionNVD

radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo response followed by a malformed qsThreadInfo response. Attackers can exploit this vulnerability through GDB remote debugging to cause a denial of service or potentially achieve code execution by manipulating thread list processing.

AnalysisAI

Remote attackers can trigger memory corruption in radare2 6.1.5 through its GDB remote debugging interface, causing denial of service or potentially achieving code execution. The use-after-free vulnerability in gdbr_threads_list() occurs when processing a valid qfThreadInfo response followed by a malformed qsThreadInfo response, leading to improper memory management. …

RemediationAI

Within 24 hours: Identify all radare2 6.1.5 installations in your environment, particularly those used for active malware analysis or security research. Within 7 days: Apply vendor patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c or upgrade to the patched release version when available. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-8695 vulnerability details – vuln.today

Back

radare2 CVE-2026-8695

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

radare2 CVE-2026-8695

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code