1.9 LOW
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): Low (L)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Exploit Maturity (E): POC (P)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): Low (L)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored
- @LeSuisse accepted
- @LeSuisse published on GitHub
radareorg radare2 cfile.c r_core_bin_load use after free
A security vulnerability has been detected in radareorg radare2 up to 6.1.6. Affected by this vulnerability is the function r_core_bin_load of the file libr/core/cfile.c. Such manipulation leads to use after free. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 635ab1eeb30340c26076722a90cb91fb2272130b. Applying a patch is advised to resolve this issue.
References
-
VDB-376377 | radareorg radare2 cfile.c r_core_bin_load use after free vdb-entrytechnical-description
-
Ignored references (5)
-
Submit #850388 | radareorg radare2 6.1.6 Use After Free third-party-advisory
-
CVE-2026-14788 | CVE Analysis and Report third-party-advisory
-
Affected products
- ==6.1.6
- ==6.1.4
- ==6.1.2
- ==6.1.3
- ==6.1.1
- ==6.1.5
- ==6.1.0
Package maintainers
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@makefu Felix Richter <makefu@syntax-fehler.de>
-
@arkivm Vikram Narayanan <vikram186@gmail.com>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@azahi Azat Bahawi <azat@bahawi.net>
1.9 LOW
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): Low (L)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Exploit Maturity (E): POC (P)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): Low (L)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored
- @LeSuisse accepted
- @LeSuisse published on GitHub
radareorg radare2 pb Print cmd_print.inc cmd_print integer overflow
A weakness has been identified in radareorg radare2 up to 6.1.6. Affected is the function cmd_print in the library libr/core/cmd_print.inc of the component pb Print Command Handler. This manipulation causes integer overflow. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: 2b6265476c75567006b0fcbb749f4ae7b189c5df. It is recommended to apply a patch to fix this issue.
References
-
VDB-376376 | radareorg radare2 pb Print cmd_print.inc cmd_print integer overflow vdb-entrytechnical-description
-
Ignored references (5)
-
Submit #850387 | radareorg radare2 6.1.6 Integer Overflow third-party-advisory
-
CVE-2026-14787 | CVE Analysis and Report third-party-advisory
-
Affected products
- ==6.1.6
- ==6.1.4
- ==6.1.2
- ==6.1.3
- ==6.1.1
- ==6.1.5
- ==6.1.0
Package maintainers
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@makefu Felix Richter <makefu@syntax-fehler.de>
-
@arkivm Vikram Narayanan <vikram186@gmail.com>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@azahi Azat Bahawi <azat@bahawi.net>
1.9 LOW
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): Low (L)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Exploit Maturity (E): POC (P)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): Low (L)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored
- @LeSuisse restored reference https://g…
- @LeSuisse ignored reference https://g…
- @LeSuisse accepted
- @LeSuisse published on GitHub
radareorg radare2 Memory64ListStream mdmp.c stack-based overflow
A vulnerability was detected in radareorg radare2 up to 6.1.6. Affected by this issue is some unknown functionality of the file libr/bin/format/mdmp/mdmp.c of the component Memory64ListStream Parser. Performing a manipulation results in stack-based buffer overflow. The attack requires a local approach. The exploit is now public and may be used. The patch is named 175d4addb68981331c85b10681c2161c38fb5762. It is suggested to install a patch to address this issue.
References
Ignored references (5)
-
-
CVE-2026-14789 | CVE Analysis and Report third-party-advisory
-
Submit #850389 | radareorg radare2 6.1.6 Improper Input Validation third-party-advisory
Affected products
- ==6.1.6
- ==6.1.4
- ==6.1.2
- ==6.1.3
- ==6.1.1
- ==6.1.5
- ==6.1.0
Package maintainers
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@makefu Felix Richter <makefu@syntax-fehler.de>
-
@arkivm Vikram Narayanan <vikram186@gmail.com>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@azahi Azat Bahawi <azat@bahawi.net>
1.9 LOW
- CVSS version (CVSS): 4.0
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Attack Requirement (AT): None (N)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Vulnerable System Impact Confidentiality (VC): None (N)
- Vulnerable System Impact Integrity (VI): None (N)
- Vulnerable System Impact Availability (VA): Low (L)
- Subsequent System Impact Confidentiality (SC): None (N)
- Subsequent System Impact Integrity (SI): None (N)
- Subsequent System Impact Availability (SA): None (N)
- Exploit Maturity (E): POC (P)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Attack Requirement (MAT): None (N)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Vulnerable System Impact Confidentiality (MVC): None (N)
- Modified Vulnerable System Impact Integrity (MVI): None (N)
- Modified Vulnerable System Impact Availability (MVA): Low (L)
- Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
- Modified Subsequent System Impact Integrity (MSI): Negligible (N)
- Modified Subsequent System Impact Availability (MSA): Negligible (N)
- Safety (S): Not Defined (X)
- Automatable (AU): Not Defined (X)
- Recovery (R): Not Defined (X)
- Value Density (V): Not Defined (X)
- Vulnerability Response Effort (RE): Not Defined (X)
- Provider Urgency (U): Not Defined (X)
- Confidentiality Req. (CR): Not Defined (X)
- Integrity Req. (IR): Not Defined (X)
- Availability Req. (AR): Not Defined (X)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse ignored
- @LeSuisse accepted
- @LeSuisse published on GitHub
radareorg radare2 str.c r_str_word_get0set integer overflow
A security flaw has been discovered in radareorg radare2 up to 6.1.6. This impacts the function r_str_word_get0set of the file libr/util/str.c. The manipulation results in integer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 11ac224c0eb8d57830fccc99e1c1cd8e5d958813. It is best practice to apply a patch to resolve this issue.
References
-
VDB-376375 | radareorg radare2 str.c r_str_word_get0set integer overflow vdb-entrytechnical-description
-
Ignored references (4)
-
Submit #850386 | radareorg radare2 6.1.6 Integer Overflow third-party-advisory
-
CVE-2026-14786 | CVE Analysis and Report third-party-advisory
-
Affected products
- ==6.1.6
- ==6.1.4
- ==6.1.2
- ==6.1.3
- ==6.1.1
- ==6.1.5
- ==6.1.0
Package maintainers
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@makefu Felix Richter <makefu@syntax-fehler.de>
-
@arkivm Vikram Narayanan <vikram186@gmail.com>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@azahi Azat Bahawi <azat@bahawi.net>