CVE-2026-14759 Overview
CVE-2026-14759 is a heap-based buffer overflow in radare2, the open-source reverse engineering framework maintained by radareorg. The flaw resides in the r_bin_java_inner_classes_attr_calc_size function within shlr/java/class.c, part of the RBinJava Line Number Table parser. Versions of radare2 up to 6.1.6 are affected. An attacker with local access can trigger the vulnerability by supplying a crafted Java class file, resulting in an out-of-bounds read on the heap. Public exploit details have been released, though no in-the-wild exploitation has been confirmed. The vulnerability is tracked under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
Local attackers can trigger a 2-byte out-of-bounds heap read by supplying a malformed Java class file, causing crashes and potential information disclosure in analyst workflows.
Affected Products
- radare radare2 versions up to and including 6.1.6
- Component: RBinJava Line Number Table Parser (shlr/java/class.c)
- Function: r_bin_java_inner_classes_attr_calc_size
Discovery Timeline
- 2026-07-05 - CVE-2026-14759 published to NVD
- 2026-07-09 - Last updated in NVD database
- Patch commit - cd62d15a6cbecdc67fd03f3ebdbbbeb741d18f87 merged to the radare2 repository
Technical Details for CVE-2026-14759
Vulnerability Analysis
The vulnerability exists in radare2's Java bytecode parser. When radare2 processes a Java class file, the RBinJava module parses attribute structures including the LineNumberTable. The parser in r_bin_java_line_number_table_attr_new validated that the input buffer size was at least 6 bytes before reading attribute headers. However, the function actually reads 8 bytes of header data, allowing a 2-byte out-of-bounds heap read when a class file provides a buffer between 6 and 7 bytes in size. This is classified as [CWE-119], improper restriction of operations within memory buffer bounds.
Root Cause
The root cause is an insufficient bounds check. The size guard if (sz < 6) did not match the actual number of bytes subsequently dereferenced from the buffer. When parsing crafted attributes, r_bin_java_inner_classes_attr_calc_size propagates the undersized buffer to downstream reads, resulting in heap-based memory access beyond the allocation boundary.
Attack Vector
Exploitation requires local access. An attacker crafts a malicious Java class or JAR file and convinces an analyst to open it in radare2 for reverse engineering. Because radare2 is frequently used to triage untrusted binaries, this attack pattern is realistic in malware analysis environments. Successful exploitation causes a process crash and may permit limited heap memory disclosure.
// Patch from shlr/java/class.c
static RBinJavaAttrInfo *r_bin_java_line_number_table_attr_new(RBinJavaObj *bin, ut8 *buffer, ut64 sz, ut64 buf_offset) {
ut32 i = 0;
ut64 curpos, offset = 0;
- if (sz < 6) {
+ if (sz < 8) {
return NULL;
}
RBinJavaAttrInfo *attr = r_bin_java_default_attr_new (bin, buffer, sz, buf_offset);
Source: radare2 commit cd62d15a. The fix raises the minimum buffer size check from 6 to 8 bytes, matching the actual number of bytes the parser reads.
Detection Methods for CVE-2026-14759
Indicators of Compromise
- Unexpected crashes or segmentation faults in radare2 (r2, rabin2, rafind2) when analyzing Java .class or .jar files
- AddressSanitizer heap-buffer-overflow reports referencing r_bin_java_line_number_table_attr_new or r_bin_java_inner_classes_attr_calc_size
- Malformed Java class files with truncated LineNumberTable attribute structures present in analyst sample repositories
Detection Strategies
- Inventory hosts running radare2 versions at or below 6.1.6 using software asset management tooling
- Enable AddressSanitizer or Valgrind on radare2 builds used in automated analysis pipelines to surface heap-boundary violations
- Correlate radare2 process crashes with recently opened untrusted Java samples in EDR telemetry
Monitoring Recommendations
- Monitor for radare2 processes terminating abnormally on analyst workstations and sandbox nodes
- Log command-line invocations of r2, rabin2, and related binaries with file arguments to trace which samples triggered failures
- Review core dumps from automated triage systems for signatures of Java parser crashes
How to Mitigate CVE-2026-14759
Immediate Actions Required
- Upgrade radare2 to a version containing commit cd62d15a6cbecdc67fd03f3ebdbbbeb741d18f87 (post-6.1.6)
- Restrict radare2 usage on untrusted Java samples to isolated analysis virtual machines or containers
- Audit CI/CD pipelines and automated malware triage systems that invoke radare2 on attacker-controlled input
Patch Information
The upstream fix is available in the radare2 repository as commit cd62d15a6cbecdc67fd03f3ebdbbbeb741d18f87. The patch corrects the minimum buffer size validation in r_bin_java_line_number_table_attr_new from 6 to 8 bytes. Additional context is available in the radare2 issue tracker for issue #26043 and the VulDB report for CVE-2026-14759.
Workarounds
- Avoid opening untrusted or unknown-origin Java class files with vulnerable radare2 builds until patched
- Run radare2 under least-privilege user accounts inside disposable sandboxes when triaging suspicious binaries
- Apply the two-line source patch manually to local builds when packaged updates are not yet available for your distribution
# Build and install patched radare2 from source
git clone https://github.com/radareorg/radare2.git
cd radare2
git checkout cd62d15a6cbecdc67fd03f3ebdbbbeb741d18f87
sys/install.sh
r2 -v # Confirm the installed version includes the fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

