Radare2
by Radare
Source repositories
CVEs (26)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40517 | Hig | 0.51 | 7.8 | 0.00 | Apr 22, 2026 | radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator. | |
| CVE-2017-16358 | Hig | 0.51 | 7.8 | 0.00 | Nov 1, 2017 | In radare 2.0.1, an out-of-bounds read vulnerability exists in string_scan_range() in libr/bin/bin.c when doing a string search. | |
| CVE-2017-16357 | Hig | 0.51 | 7.8 | 0.00 | Nov 1, 2017 | In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c, as demonstrated by an invalid free. This error is due to improper sh_size validation when allocating memory. | |
| CVE-2017-15932 | Hig | 0.51 | 7.8 | 0.00 | Oct 27, 2017 | In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c via crafted ELF files when parsing the ELF version on 32bit systems. | |
| CVE-2017-15931 | Hig | 0.51 | 7.8 | 0.00 | Oct 27, 2017 | In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c via crafted ELF files on 32bit systems. | |
| CVE-2017-10929 | Hig | 0.51 | 7.8 | 0.00 | Jul 5, 2017 | The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, possibly related to a read overflow in the grub_disk_read_small_real function in kern/disk.c in GNU GRUB 2.02. | |
| CVE-2017-9949 | Hig | 0.51 | 7.8 | 0.00 | Jun 26, 2017 | The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause a denial of service (stack-based buffer underflow and application crash) or possibly have unspecified other impact via a crafted binary file, possibly related to a buffer underflow in fs/ext2.c in GNU GRUB 2.02. | |
| CVE-2017-6448 | Hig | 0.51 | 7.8 | 0.00 | Apr 3, 2017 | The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 1.2.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted DEX file. | |
| CVE-2017-6194 | Hig | 0.51 | 7.8 | 0.00 | Apr 3, 2017 | The relocs function in libr/bin/p/bin_bflt.c in radare2 1.2.1 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file. | |
| CVE-2017-6319 | Hig | 0.51 | 7.8 | 0.00 | Mar 2, 2017 | The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1.2.1 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted DEX file. | |
| CVE-2017-9763 | Hig | 0.49 | 7.5 | 0.01 | Jun 19, 2017 | The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows remote attackers to cause a denial of service (excessive stack use and application crash) via a crafted binary file, related to use of a variable-size stack array. | |
| CVE-2026-6940 | Hig | 0.46 | 7.1 | 0.00 | Apr 23, 2026 | radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss. | |
| CVE-2026-40499 | Hig | 0.44 | 7.8 | 0.00 | Apr 15, 2026 | radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file. | |
| CVE-2026-6941 | Med | 0.36 | 6.6 | 0.00 | Apr 23, 2026 | radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory. | |
| CVE-2017-16805 | Med | 0.36 | 5.5 | 0.00 | Nov 13, 2017 | In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted ELF file, related to r_bin_dwarf_parse_comp_unit in dwarf.c and sdb_set_internal in shlr/sdb/src/sdb.c. | |
| CVE-2017-16359 | Med | 0.36 | 5.5 | 0.00 | Nov 1, 2017 | In radare 2.0.1, a pointer wraparound vulnerability exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c. | |
| CVE-2017-9762 | Med | 0.36 | 5.5 | 0.00 | Jun 19, 2017 | The cmd_info function in libr/core/cmd_info.c in radare2 1.5.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted binary file. | |
| CVE-2017-9761 | Med | 0.36 | 5.5 | 0.00 | Jun 19, 2017 | The find_eoq function in libr/core/cmd.c in radare2 1.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file. | |
| CVE-2017-9520 | Med | 0.36 | 5.5 | 0.00 | Jun 8, 2017 | The r_config_set function in libr/config/config.c in radare2 1.5.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted DEX file. | |
| CVE-2017-7946 | Med | 0.36 | 5.5 | 0.00 | Apr 18, 2017 | The get_relocs_64 function in libr/bin/format/mach0/mach0.c in radare2 1.3.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted Mach0 file. |
Page 1 of 2