Skip to main content

radare2 CVE-2026-8696

| EUVDEUVD-2026-30635 HIGH
Use After Free (CWE-416)
2026-05-15 disclosure@vulncheck.com GHSA-8j42-xqfj-g726
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 15, 2026 - 21:30 vuln.today
Analysis Generated
May 15, 2026 - 21:30 vuln.today

DescriptionCVE.org

radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial of service or potentially execute arbitrary code by sending malformed thread information responses. Attackers can trigger the vulnerability by causing qsThreadInfo to fail after qfThreadInfo successfully allocates RDebugPid structures, resulting in double-free memory corruption when the error path attempts to clean up the list.

AnalysisAI

Memory corruption in radare2 6.1.5's GDB client allows remote attackers to crash the application or potentially execute code through malformed thread information responses. The vulnerability triggers when the GDB remote protocol's qsThreadInfo command fails after qfThreadInfo has allocated memory, causing a use-after-free condition. While no public exploits have been identified, the CVSS 8.7 score reflects the potential for remote unauthenticated denial of service impact.

Technical ContextAI

The vulnerability resides in the gdbr_pids_list() function within radare2's GDB remote protocol client implementation. This function processes thread information responses from GDB servers using the qfThreadInfo/qsThreadInfo protocol commands. The root cause is improper memory management (CWE-416 Use After Free) where RDebugPid structures allocated during successful qfThreadInfo processing are not properly tracked when qsThreadInfo fails, leading to double-free conditions in the error cleanup path. The GDB remote protocol is commonly used for debugging embedded systems and remote targets.

RemediationAI

Update radare2 to a version containing commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c or later. The patch properly initializes dpid pointers to NULL after freeing and checks for NULL before attempting to free memory, preventing the use-after-free condition. As a workaround until patching, avoid connecting radare2's GDB client to untrusted or potentially compromised GDB servers. The vulnerability advisory is available at https://www.vulncheck.com/advisories/radare2-use-after-free-via-gdbr-pids-list with issue tracking at https://github.com/radareorg/radare2/issues/25836.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-8696 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy