VYPR
← All advisories
Low severity3.3NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45613

CVE-2026-45613

Description

Rizin is a UNIX-like reverse engineering framework and command-line toolset. There is a heap-buffer-overflow in librz/bin/format/omf/omf.c. This vulnerability is fixed by commit e6d0937c8a083e23ed76ccfb9f631cdc50c7af47.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-buffer-overflow in Rizin's OMF parser can cause a crash when opening crafted OMF binaries.

Vulnerability

A heap-buffer-overflow exists in librz/bin/format/omf/omf.c in Rizin, affecting versions prior to commit e6d0937 [1][2]. The vulnerability occurs in the rz_bin_omf_get_entry function when processing OMF binaries. The seg_idx field from a symbol is used to index into the sections array without proper bounds checking: the original check used > instead of >=, allowing an out-of-bounds read when seg_idx - 1 equals nb_section [1].

Exploitation

An attacker can exploit this by crafting a malicious OMF binary with a symbol that has a seg_idx value set to nb_section + 1. The victim must open the crafted binary using Rizin or a tool that utilizes the Rizin library. No special privileges or network access are required beyond delivering the file to the user [2].

Impact

Successful exploitation results in a heap-buffer-overflow read, potentially causing a crash (denial of service) or, in some environments, information disclosure. The CVSS score of 3.3 (Low) reflects the limited impact and requirement for user interaction [2].

Mitigation

The vulnerability is fixed in commit e6d0937c8a083e23ed76ccfb9f631cdc50c7af47 [1]. Users should update Rizin to a version that includes this commit. As a workaround, avoid opening untrusted OMF binaries [2].

References
  1. Fix OOB read in OMF format plugin (#6336) · rizinorg/rizin@e6d0937
  2. Heap-buffer-overflow in OMF parser

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Rizin/Rizinreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
e6d0937c8a08

Fix OOB read in OMF format plugin (#6336)

https://github.com/rizinorg/rizinRot127May 11, 2026via text-mined
commit
1 file changed · +4 3
  • librz/bin/format/omf/omf.c+4 3 modified
    @@ -706,12 +706,13 @@ bool rz_bin_omf_get_entry(rz_bin_omf_obj *obj, RzBinAddr *addr) {
 	}
 	while (ct_sym < obj->nb_symbol) {
 		if (!strcmp(obj->symbols[ct_sym]->name, "_start")) {
-			if (obj->symbols[ct_sym]->seg_idx - 1 > obj->nb_section) {
+			size_t sec_arr_offset = obj->symbols[ct_sym]->seg_idx - 1;
+			if (sec_arr_offset >= obj->nb_section) {
 				RZ_LOG_ERROR("Invalid segment index for symbol _start\n");
 				return false;
 			}
-			addr->vaddr = obj->sections[obj->symbols[ct_sym]->seg_idx - 1]->vaddr + obj->symbols[ct_sym]->offset + OMF_BASE_ADDR;
-			data = obj->sections[obj->symbols[ct_sym]->seg_idx - 1]->data;
+			addr->vaddr = obj->sections[sec_arr_offset]->vaddr + obj->symbols[ct_sym]->offset + OMF_BASE_ADDR;
+			data = obj->sections[sec_arr_offset]->data;
 			while (data) {
 				offset += data->size;
 				if (obj->symbols[ct_sym]->offset < offset) {

Vulnerability mechanics

Root cause

"Off-by-one error in bounds check: using `>` instead of `>=` allows an out-of-bounds array index."

Attack vector

An attacker crafts a malformed OMF binary where a symbol's `seg_idx` field is set to a value that, after subtracting 1, equals `obj->nb_section` (or greater). The original check used `>` instead of `>=`, so the invalid index passes the guard and is used to read `obj->sections[seg_idx-1]`, causing an out-of-bounds heap read [CWE-125]. The CVSS vector indicates local access and user interaction (e.g. opening a malicious file in Rizin).

Affected code

The heap-buffer-overflow occurs in the `rz_bin_omf_get_entry` function in `librz/bin/format/omf/omf.c`. The bug is in the bounds check for `obj->symbols[ct_sym]->seg_idx - 1` when looking up a section for the `_start` symbol.

What the fix does

The patch changes the bounds check from `seg_idx - 1 > obj->nb_section` to `sec_arr_offset >= obj->nb_section`. This ensures that when `seg_idx - 1` equals `obj->nb_section` (i.e., one past the last valid index), the check correctly rejects it. The array offset is also stored in a local variable `sec_arr_offset` for readability and reused in the subsequent array accesses.

Preconditions

  • inputThe attacker must supply a crafted OMF binary file that sets a symbol's seg_idx to nb_section + 1.
  • authThe victim must open the malicious file with Rizin's OMF parser (e.g., via rizin or rz-bin).

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.