Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14758

CVE-2026-14758: Radare2 Buffer Overflow Vulnerability

CVE-2026-14758 is a buffer overflow vulnerability in Radare2 affecting versions up to 6.1.6. The flaw allows local attackers to exploit an integer overflow condition. This article covers technical details, impact, and patches.

Published:

CVE-2026-14758 Overview

CVE-2026-14758 is an integer overflow vulnerability [CWE-189] in radare2, an open-source reverse engineering framework maintained by radareorg. The flaw affects the cmd_anal_opcode function in libr/core/cmd_anal.inc.c, specifically within the hexpairs parser component. Versions up to and including 6.1.6 are impacted. An attacker with local access and low privileges can trigger the overflow by supplying a crafted opcode count, causing radare2 to crash. A public exploit exists, and the maintainers released commit 84e773986e7e5bb30453a9384f498ec0ccc9d0a9 to remediate the issue.

Critical Impact

Local attackers can trigger an integer overflow in the radare2 aos command parser, resulting in a denial-of-service crash of the analysis session.

Affected Products

  • radare2 versions up to 6.1.6
  • libr/core/cmd_anal.inc.c component
  • hexpairs Parser subsystem

Discovery Timeline

  • 2026-07-05 - CVE-2026-14758 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-14758

Vulnerability Analysis

The vulnerability resides in the cmd_anal_opcode function that handles the aos command family used to analyze sequences of opcodes. The parser reads a user-supplied numeric value representing the opcode count and casts it into a signed 32-bit integer without validating the upper bound. When the supplied value exceeds ST32_MAX / 8, the multiplication used in subsequent buffer sizing calculations wraps, producing an undersized allocation or an out-of-range index.

Exploitation requires local interaction with the radare2 process, such as opening a malicious script or session file, or piping crafted input to an active analysis session. The result is a controlled crash of the r2 process rather than remote code execution.

Root Cause

The root cause is missing input validation in the numeric conversion path. The code invoked r_num_get and cast the result directly to int without checking whether the returned ut64 value would overflow when multiplied by the per-opcode buffer size.

Attack Vector

An attacker delivers a radare2 project file, script (.r2 file), or command that invokes the aos command family with an oversized opcode count parameter. When a local user or automated pipeline processes the input, radare2 hits the overflow and terminates. The attack requires local, authenticated access and no user interaction beyond loading the target file.

c
// Security patch in libr/core/cmd_anal.inc.c
// Fix #26042 - aos opcode count overflow crash
            }
        }
        if (input[1] && input[2]) {
-            l = (int)r_num_get (core->num, input + 1);
+            ut64 n = r_num_get (core->num, input + 1);
+            if (n > ST32_MAX / 8) {
+                R_LOG_ERROR ("Invalid opcode count");
+                return;
+            }
+            l = (int)n;
            if (l > 0) {
                count = l;
            }
// Source: https://github.com/radareorg/radare2/commit/84e773986e7e5bb30453a9384f498ec0ccc9d0a9

The patch introduces an explicit upper bound check against ST32_MAX / 8 before narrowing the ut64 value to int, rejecting oversized inputs with an error message.

Detection Methods for CVE-2026-14758

Indicators of Compromise

  • Unexpected radare2 process crashes with SIGSEGV or SIGABRT termination signals during analysis sessions
  • Presence of aos command invocations with abnormally large numeric arguments in r2 scripts or history files
  • Core dumps generated from radare2 processes on analyst workstations or CI pipelines

Detection Strategies

  • Audit radare2 project files, .r2 scripts, and command histories for numeric arguments exceeding ST32_MAX / 8 passed to aos commands
  • Monitor radare2 binary version strings across analyst systems and identify installations at or below 6.1.6
  • Review shared reverse engineering artifacts received from untrusted sources before opening in vulnerable radare2 builds

Monitoring Recommendations

  • Enable process crash logging on systems where analysts routinely run radare2 to correlate faults with recently opened artifacts
  • Track invocation of radare2 in automated malware analysis pipelines and alert on non-zero exit codes
  • Include the 84e773986e7e5bb30453a9384f498ec0ccc9d0a9 patch commit in software composition analysis rules for downstream forks and distributions

How to Mitigate CVE-2026-14758

Immediate Actions Required

  • Upgrade radare2 to a release that includes commit 84e773986e7e5bb30453a9384f498ec0ccc9d0a9 from the radare2 GitHub repository
  • Rebuild any downstream distributions, container images, or forks that vendor radare2 6.1.6 or earlier
  • Avoid executing untrusted r2 scripts or opening untrusted project files on hosts running unpatched radare2

Patch Information

The official fix is available in commit 84e773986e7e5bb30453a9384f498ec0ccc9d0a9, which adds bounds validation to the opcode count parsing logic in cmd_anal_opcode. Refer to the GitHub issue tracker entry #26042 and the VulDB CVE-2026-14758 record for additional context.

Workarounds

  • Restrict use of radare2 to trusted input files only until the patched version is deployed
  • Run radare2 inside disposable sandboxes or containers so that a crash from a malicious opcode count does not disrupt the host analysis environment
  • Remove or disable automation that invokes aos commands with externally sourced numeric arguments
bash
# Verify the installed radare2 version and rebuild from patched source
r2 -v
git clone https://github.com/radareorg/radare2.git
cd radare2
git log --oneline | grep 84e77398
sys/install.sh

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.