CRITICAL🇵🇱 Wersja polska

CVE-2025-1864

CVSS 10.0v4.0pub. 2025-03-03upd. 2025-07-01

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in radareorg radare2 allows Overflow Buffers.This issue affects radare2: before <5.9.9.

🤖 AI Analysis
How it works

The vulnerability (CWE-119, CWE-120) consists of improper restriction of operations performed within the memory buffer, leading to its overflow. An attacker can provide crafted input data that exceeds the allocated buffer, overwriting adjacent memory areas. The lack of privilege requirements (PR:N) and user interaction requirements (UI:N) means the attack can be conducted remotely over the network without any preconditions.

Impact

An attacker can gain full control over the vulnerable system, including the ability to read and modify data (VC:H, VI:H) and cause service unavailability (VA:H). The vulnerability may also affect related systems (SC:H, SI:H, SA:H), threatening takeover of infrastructure beyond the direct target of the attack.

Mitigation & patch

radare2 should be updated to version 5.9.9 or newer. A patch is available in the project repository (pull request #23981 on GitHub). Priority implementation of the update is recommended, especially in environments where radare2 processes files or data from untrusted sources.

Who is affected

All radare2 versions (radareorg/radare2) older than 5.9.9.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Radare Radare2

    APP
    Radare
    ≤ 5.9.8
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-1744CRITICAL10.0PL ✓ten sam produkt

Krytyczny Out-of-bounds Write (heap buffer overflow) w Radare2

CVE-2024-29646CRITICAL9.8PL ✓ten sam produkt

Buffer Overflow w Radare2 umożliwiający wykonanie dowolnego kodu (RCE)

CVE-2023-46569CRITICAL9.8ten sam produkt

An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32_fpu function of libr/arch/p/nds...

CVE-2023-46570CRITICAL9.8ten sam produkt

An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32 function of libr/arch/p/nds32/n...

CVE-2023-4322CRITICAL9.8ten sam produkt

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0.