Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14759

CVE-2026-14759: Radare2 Buffer Overflow Vulnerability

CVE-2026-14759 is a heap-based buffer overflow flaw in Radare2 affecting the RBinJava parser. Attackers can exploit this locally in versions up to 6.1.6. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-14759 Overview

CVE-2026-14759 is a heap-based buffer overflow in radare2, the open-source reverse engineering framework maintained by radareorg. The flaw resides in the r_bin_java_inner_classes_attr_calc_size function within shlr/java/class.c, part of the RBinJava Line Number Table parser. Versions of radare2 up to 6.1.6 are affected. An attacker with local access can trigger the vulnerability by supplying a crafted Java class file, resulting in an out-of-bounds read on the heap. Public exploit details have been released, though no in-the-wild exploitation has been confirmed. The vulnerability is tracked under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).

Critical Impact

Local attackers can trigger a 2-byte out-of-bounds heap read by supplying a malformed Java class file, causing crashes and potential information disclosure in analyst workflows.

Affected Products

  • radare radare2 versions up to and including 6.1.6
  • Component: RBinJava Line Number Table Parser (shlr/java/class.c)
  • Function: r_bin_java_inner_classes_attr_calc_size

Discovery Timeline

  • 2026-07-05 - CVE-2026-14759 published to NVD
  • 2026-07-09 - Last updated in NVD database
  • Patch commit - cd62d15a6cbecdc67fd03f3ebdbbbeb741d18f87 merged to the radare2 repository

Technical Details for CVE-2026-14759

Vulnerability Analysis

The vulnerability exists in radare2's Java bytecode parser. When radare2 processes a Java class file, the RBinJava module parses attribute structures including the LineNumberTable. The parser in r_bin_java_line_number_table_attr_new validated that the input buffer size was at least 6 bytes before reading attribute headers. However, the function actually reads 8 bytes of header data, allowing a 2-byte out-of-bounds heap read when a class file provides a buffer between 6 and 7 bytes in size. This is classified as [CWE-119], improper restriction of operations within memory buffer bounds.

Root Cause

The root cause is an insufficient bounds check. The size guard if (sz < 6) did not match the actual number of bytes subsequently dereferenced from the buffer. When parsing crafted attributes, r_bin_java_inner_classes_attr_calc_size propagates the undersized buffer to downstream reads, resulting in heap-based memory access beyond the allocation boundary.

Attack Vector

Exploitation requires local access. An attacker crafts a malicious Java class or JAR file and convinces an analyst to open it in radare2 for reverse engineering. Because radare2 is frequently used to triage untrusted binaries, this attack pattern is realistic in malware analysis environments. Successful exploitation causes a process crash and may permit limited heap memory disclosure.

c
// Patch from shlr/java/class.c
static RBinJavaAttrInfo *r_bin_java_line_number_table_attr_new(RBinJavaObj *bin, ut8 *buffer, ut64 sz, ut64 buf_offset) {
    ut32 i = 0;
    ut64 curpos, offset = 0;
-   if (sz < 6) {
+   if (sz < 8) {
        return NULL;
    }
    RBinJavaAttrInfo *attr = r_bin_java_default_attr_new (bin, buffer, sz, buf_offset);

Source: radare2 commit cd62d15a. The fix raises the minimum buffer size check from 6 to 8 bytes, matching the actual number of bytes the parser reads.

Detection Methods for CVE-2026-14759

Indicators of Compromise

  • Unexpected crashes or segmentation faults in radare2 (r2, rabin2, rafind2) when analyzing Java .class or .jar files
  • AddressSanitizer heap-buffer-overflow reports referencing r_bin_java_line_number_table_attr_new or r_bin_java_inner_classes_attr_calc_size
  • Malformed Java class files with truncated LineNumberTable attribute structures present in analyst sample repositories

Detection Strategies

  • Inventory hosts running radare2 versions at or below 6.1.6 using software asset management tooling
  • Enable AddressSanitizer or Valgrind on radare2 builds used in automated analysis pipelines to surface heap-boundary violations
  • Correlate radare2 process crashes with recently opened untrusted Java samples in EDR telemetry

Monitoring Recommendations

  • Monitor for radare2 processes terminating abnormally on analyst workstations and sandbox nodes
  • Log command-line invocations of r2, rabin2, and related binaries with file arguments to trace which samples triggered failures
  • Review core dumps from automated triage systems for signatures of Java parser crashes

How to Mitigate CVE-2026-14759

Immediate Actions Required

  • Upgrade radare2 to a version containing commit cd62d15a6cbecdc67fd03f3ebdbbbeb741d18f87 (post-6.1.6)
  • Restrict radare2 usage on untrusted Java samples to isolated analysis virtual machines or containers
  • Audit CI/CD pipelines and automated malware triage systems that invoke radare2 on attacker-controlled input

Patch Information

The upstream fix is available in the radare2 repository as commit cd62d15a6cbecdc67fd03f3ebdbbbeb741d18f87. The patch corrects the minimum buffer size validation in r_bin_java_line_number_table_attr_new from 6 to 8 bytes. Additional context is available in the radare2 issue tracker for issue #26043 and the VulDB report for CVE-2026-14759.

Workarounds

  • Avoid opening untrusted or unknown-origin Java class files with vulnerable radare2 builds until patched
  • Run radare2 under least-privilege user accounts inside disposable sandboxes when triaging suspicious binaries
  • Apply the two-line source patch manually to local builds when packaged updates are not yet available for your distribution
bash
# Build and install patched radare2 from source
git clone https://github.com/radareorg/radare2.git
cd radare2
git checkout cd62d15a6cbecdc67fd03f3ebdbbbeb741d18f87
sys/install.sh
r2 -v  # Confirm the installed version includes the fix

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.