Aggregates CVE and security vulnerability intelligence across all Radare2-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk buffer overflow, vendor risk memory corruption, vendor risk path handling, and vendor risk input validation and related problems; some flaws may lead to vendor impact application crash.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-8696 | radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial of service or potentially execute arbitrary code by sending malformed thread information responses. Attackers can trigger the vulnerability by causing qsThreadInfo to fail after qfThreadInfo successfully allocates RDebugPid structures, resulting in double-free memory corruption when the error path attempts to clean up the list. | [email protected] | 8.7 | 0.37% | 2026-05-15 | 2026-05-19 |
| CVE-2026-8695 | radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo response followed by a malformed qsThreadInfo response. Attackers can exploit this vulnerability through GDB remote debugging to cause a denial of service or potentially achieve code execution by manipulating thread list processing. | [email protected] | 8.7 | 0.36% | 2026-05-15 | 2026-05-18 |
| CVE-2026-6942 | radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication. | [email protected] | 9.3 | 0.21% | 2026-04-23 | 2026-06-04 |
| CVE-2026-6941 | radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory. | [email protected] | 6.9 | 0.01% | 2026-04-23 | 2026-04-27 |
| CVE-2026-6940 | radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss. | [email protected] | 6.9 | 0.02% | 2026-04-23 | 2026-04-27 |
| CVE-2026-40517 | radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare | [email protected] | 8.4 | 0.02% | 2026-04-22 | 2026-04-27 |
| CVE-2026-40527 | radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string. | [email protected] | 8.5 | 0.07% | 2026-04-17 | 2026-06-05 |
| CVE-2026-40499 | radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file. | [email protected] | 8.4 | 0.03% | 2026-04-15 | 2026-05-01 |
| CVE-2025-63745 | A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data. | [email protected] | 5.5 | 0.01% | 2025-11-14 | 2025-11-19 |
| CVE-2025-63744 | A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the load() function of bin_dyldcache.c. Processing a crafted file can cause a segmentation fault and crash the program. | [email protected] | 4.3 | 0.03% | 2025-11-14 | 2025-11-19 |
| CVE-2025-60361 | radare2 v5.9.8 and before contains a memory leak in the function bochs_open. | [email protected] | 3.3 | 0.01% | 2025-10-17 | 2025-10-23 |
| CVE-2025-60360 | radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init. | [email protected] | 5.5 | 0.01% | 2025-10-17 | 2025-10-23 |
| CVE-2025-60359 | radare2 v5.9.8 and before contains a memory leak in the function r_bin_object_new. | [email protected] | 5.5 | 0.01% | 2025-10-17 | 2025-10-23 |
| CVE-2025-60358 | radare2 v.5.9.8 and before contains a memory leak in the function _load_relocations. | [email protected] | 5.5 | 0.02% | 2025-10-16 | 2025-10-23 |
| CVE-2025-5648 | A vulnerability was found in Radare2 5.9.9. It has been classified as problematic. Affected is the function r_cons_pal_init in the library /libr/cons/pal.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. An attack has to be approached locally. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the | [email protected] | 2.0 | 0.06% | 2025-06-05 | 2025-06-17 |
| CVE-2025-5647 | A vulnerability was found in Radare2 5.9.9 and classified as problematic. This issue affects the function r_cons_context_break_pop in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doub | [email protected] | 2.0 | 0.06% | 2025-06-05 | 2025-06-23 |
| CVE-2025-5646 | A vulnerability has been found in Radare2 5.9.9 and classified as problematic. This vulnerability affects the function r_cons_rainbow_free in the library /libr/cons/pal.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerabi | [email protected] | 2.0 | 0.06% | 2025-06-05 | 2025-06-23 |
| CVE-2025-5645 | A vulnerability, which was classified as problematic, was found in Radare2 5.9.9. This affects the function r_cons_pal_init in the library /libr/cons/pal.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the mom | [email protected] | 2.0 | 0.06% | 2025-06-05 | 2025-06-23 |
| CVE-2025-5644 | A vulnerability, which was classified as problematic, has been found in Radare2 5.9.9. Affected by this issue is the function r_cons_flush in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to use after free. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability i | [email protected] | 2.0 | 0.12% | 2025-06-05 | 2025-06-23 |
| CVE-2025-5643 | A vulnerability classified as problematic was found in Radare2 5.9.9. Affected by this vulnerability is the function cons_stack_load in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubte | [email protected] | 2.0 | 0.16% | 2025-06-05 | 2025-06-23 |