Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
A double free vulnerability exists in librz/bin/format/le/le.c in the function le_load_fixup_record(). When processing malformed or circular LE fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated on a service pipeline.
AnalysisAI
Double free vulnerability in Rizin's LE binary format parser (librz/bin/format/le/le.c) allows local attackers to trigger heap corruption and denial of service by providing a specially crafted LE binary with circular or malformed fixup chains. The le_load_fixup_record() function improperly manages memory during error handling, freeing relocation entries multiple times. With CVSS 6.2 and local attack vector, this poses moderate risk to systems and automated analysis pipelines that process untrusted binaries without sandboxing.
Technical ContextAI
The vulnerability exists in Rizin's LE (Linear Executable) binary format parser, specifically in the le_load_fixup_record() function within librz/bin/format/le/le.c. The LE format is a DOS-era executable format that includes fixup records for relocation information. The root cause (CWE-415: Double Free) stems from improper memory lifecycle management during the parsing of fixup chains; when processing malformed or circular fixup chains, the code path executes multiple free() calls on the same heap-allocated relocation entry structure without proper state tracking or guards. This causes heap metadata corruption on systems using malloc implementations that track freed blocks, leading to crash or potential code execution depending on heap state. The vulnerability affects Rizin, a binary analysis framework and successor to the Radare2 project, which is widely used for reverse engineering, malware analysis, and binary instrumentation.
RemediationAI
Users should update Rizin to a patched version that includes the fix merged in pull request #5795 (https://github.com/rizinorg/rizin/pull/5795). The specific patched version number is not confirmed in the provided data; refer to the official Rizin releases page and the GitHub PR for exact version availability. As a workaround pending patching, restrict analysis of untrusted LE binaries and avoid processing files from untrusted sources in automated pipelines. Implement file-type whitelisting if LE binaries are not required for your use case. For users in continuous integration or malware analysis environments, consider running Rizin in a sandboxed or containerized environment with memory-protection features enabled.
Same weakness CWE-415 – Double Free
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19250
GHSA-h848-fw25-hp2w