Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial of service or potentially execute arbitrary code by sending malformed thread information responses. Attackers can trigger the vulnerability by causing qsThreadInfo to fail after qfThreadInfo successfully allocates RDebugPid structures, resulting in double-free memory corruption when the error path attempts to clean up the list.
AnalysisAI
Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.
Technical ContextAI
The vulnerability resides in the gdbr_pids_list() function within radare2's GDB remote protocol client implementation. This function processes thread information responses from GDB servers using the qfThreadInfo/qsThreadInfo protocol commands. The root cause is improper memory management (CWE-416 Use After Free) where RDebugPid structures allocated during successful qfThreadInfo processing are not properly tracked when qsThreadInfo fails, leading to double-free conditions in the error cleanup path. The GDB remote protocol is commonly used for debugging embedded systems and remote targets.
RemediationAI
Update radare2 to a version containing commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c or later. The patch properly initializes dpid pointers to NULL after freeing and checks for NULL before attempting to free memory, preventing the use-after-free condition. As a workaround until patching, avoid connecting radare2's GDB client to untrusted or potentially compromised GDB servers. The vulnerability advisory is available at https://www.vulncheck.com/advisories/radare2-use-after-free-via-gdbr-pids-list with issue tracking at https://github.com/radareorg/radare2/issues/25836.
Same weakness CWE-416 – Use After Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30635
GHSA-8j42-xqfj-g726