Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector with PR:L because exploitation requires an authenticated local user running radare2 against a crafted file; only process availability is impacted.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A security vulnerability has been detected in radareorg radare2 up to 6.1.6. Affected by this vulnerability is the function r_core_bin_load of the file libr/core/cfile.c. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 635ab1eeb30340c26076722a90cb91fb2272130b. Applying a patch is advised to resolve this issue.
AnalysisAI
Use-after-free in radare2's r_core_bin_load function (libr/core/cfile.c) affects all versions up to and including 6.1.6, allowing a local low-privileged user to trigger memory corruption resulting in a denial of service. A public proof-of-concept exists (GitHub issue #26049), confirmed by the CVSS 4.0 E:P exploitability modifier, though the vulnerability is not listed in CISA KEV and no confirmed widespread active exploitation is known. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a local user account with at least low-privilege access (confirmed by PR:L in the CVSS 4.0 vector) capable of executing radare2 and invoking the binary loading functionality via r_core_bin_load in libr/core/cfile.c. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N places this firmly in the medium tier with a score of 4.8. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with local system access places a specially crafted binary file on the target system and either directly invokes radare2 to load it, or social-engineers a security analyst into opening the file for reverse engineering. When r_core_bin_load processes the malicious binary, the use-after-free condition is triggered, causing radare2 to crash. … |
| Remediation | The upstream fix is available as commit 635ab1eeb30340c26076722a90cb91fb2272130b, accessible at https://github.com/oldzhu/radare2/commit/635ab1eeb30340c26076722a90cb91fb2272130b. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32 function of libr/arch/p/nds32/nds32-dis.h
An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32_fpu function of libr/arch/p/nds32/nds32-d
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. Rated critical severity (CVSS 9.8), th
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to exe
Out-of-bounds Read in GitHub repository radareorg/radare2 prior to 5.7.0. Rated critical severity (CVSS 9.1), this vulne
Out-of-bounds Read in r_bin_ne_get_entrypoints function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated cri
Out-of-bounds read in `r_bin_ne_get_relocs` function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated critic
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. Rated high severity (CVSS 8.8), this v
Command injection in radare2's PDB parser (versions <6.1.4) enables arbitrary command execution when analysts process ma
In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and store_versioninfo_gnu_ve
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo
Same weakness CWE-416 – Use After Free
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41799
GHSA-3h4h-fp54-55h6