Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14757

CVE-2026-14757: Radare2 Buffer Overflow Vulnerability

CVE-2026-14757 is a buffer overflow vulnerability in Radare2 affecting versions up to 6.1.6. The flaw involves an integer overflow in the core_anal_bytes function. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-14757 Overview

CVE-2026-14757 is an integer overflow vulnerability in radare2, an open-source reverse engineering framework maintained by radareorg. The flaw affects versions up to and including 6.1.6 and resides in the core_anal_bytes function within libr/core/cmd_anal.inc. An attacker with local access can trigger the overflow by supplying crafted input during analysis operations. The exploit has been publicly disclosed, though no exploitation in the wild has been reported. The vendor has released a patch to address the issue.

Critical Impact

Local attackers can trigger an integer overflow in the core_anal_bytes analysis routine, potentially resulting in limited impact on confidentiality, integrity, and availability of the radare2 process.

Affected Products

  • radare2 versions up to and including 6.1.6
  • Component: libr/core/cmd_anal.inc
  • Function: core_anal_bytes

Discovery Timeline

  • 2026-07-05 - CVE-2026-14757 published to NVD
  • 2026-07-07 - Last updated in NVD database

Technical Details for CVE-2026-14757

Vulnerability Analysis

The vulnerability is an integer overflow [CWE-189] in the core_anal_bytes function of libr/core/cmd_anal.inc. This function is part of radare2's analysis subsystem, invoked when the user requests byte-level analysis of a target binary. Improper bounds checking during arithmetic operations on byte counts or offsets allows a numeric value to wrap around its maximum representable range.

When the overflow occurs, subsequent calculations rely on truncated or wrapped values. This can lead to undersized buffer allocations, out-of-bounds memory access, or incorrect control flow within the analysis routine. Because radare2 is commonly used to analyze untrusted binaries, an attacker can craft a malicious input file that triggers the overflow when loaded.

Exploitation requires local access with low privileges and no user interaction beyond invoking analysis on the crafted file. The exploit has been publicly disclosed via VulDB submission #850381 and GitHub issue #26041.

Root Cause

The root cause is missing or insufficient validation of arithmetic operations on size or count values within core_anal_bytes. Radare2 performs calculations on byte-analysis parameters without verifying that the result remains within the valid integer range, allowing wraparound to occur.

Attack Vector

The attack vector is local. An attacker must convince a radare2 user to open a specially crafted binary or execute analysis commands against attacker-controlled input. Because reverse engineers routinely analyze untrusted samples, the practical attack surface is meaningful despite the local-only requirement.

No verified exploitation code is publicly linked in the CVE record. See GitHub Issue #26041 for technical details from the upstream project.

Detection Methods for CVE-2026-14757

Indicators of Compromise

  • Unexpected crashes or aborts of the radare2 (r2) process during analysis of untrusted binaries
  • Core dumps referencing core_anal_bytes or cmd_anal.inc in the stack trace
  • Anomalous memory allocation patterns from radare2 processes when analyzing user-supplied files

Detection Strategies

  • Inventory endpoints and analysis workstations running radare2 versions at or below 6.1.6 using software asset management tools
  • Monitor process telemetry for radare2 or r2 crashes correlated with recent file open or analysis commands
  • Review shell history and command logs on multi-user analysis systems for suspicious analysis invocations against unknown binaries

Monitoring Recommendations

  • Enable core dump collection on analyst workstations and forward crash reports to a central location for review
  • Alert on repeated abnormal terminations of the radare2 process from the same user or working directory
  • Track file provenance for binaries submitted to radare2 analysis, especially those obtained from external or untrusted sources

How to Mitigate CVE-2026-14757

Immediate Actions Required

  • Upgrade radare2 to a version newer than 6.1.6 that includes the fix for core_anal_bytes
  • Restrict use of radare2 to trusted binaries until the patch is applied across all analysis endpoints
  • Isolate reverse engineering workstations from production networks and sensitive data stores

Patch Information

A patch is available in the upstream repository. Refer to the GitHub Radare2 Repository and the tracking discussion in GitHub Issue #26041 for the fix commit and updated release tags. Additional details are documented in the VulDB CVE-2026-14757 entry.

Workarounds

  • Analyze untrusted binaries inside disposable virtual machines or containers with no access to sensitive resources
  • Run radare2 as a low-privilege user account dedicated to malware analysis tasks
  • Avoid batch or automated analysis workflows that pass externally sourced files to core_anal_bytes until the upgrade is complete
bash
# Verify installed radare2 version and upgrade from source
r2 -v
git clone https://github.com/radareorg/radare2.git
cd radare2
git pull
sys/install.sh
r2 -v  # Confirm version is newer than 6.1.6

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.