Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14760

CVE-2026-14760: Radare2 Use-After-Free Vulnerability

CVE-2026-14760 is a use-after-free vulnerability in Radare2 affecting the r_core_seek_arch_bits function. This flaw allows local attackers to exploit memory corruption. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-14760 Overview

CVE-2026-14760 is a use-after-free vulnerability in radare2, the open-source reverse engineering framework maintained by radareorg. The flaw affects versions up to 6.1.6 and resides in the r_core_seek_arch_bits function within libr/core/disasm.c, part of the regprofile handler. The issue is tracked under [CWE-119] (improper restriction of operations within memory buffer bounds). Exploitation requires local access to a system where a user analyzes attacker-controlled input with radare2. The vendor released a fix in commit 8b25c773785d85cb0103410a0905089d286921c2.

Critical Impact

A local attacker can trigger memory corruption by supplying a crafted binary or regprofile change during a disassembly loop, potentially causing crashes or limited availability impact within the radare2 process.

Affected Products

  • radare radare2 versions up to and including 6.1.6
  • Component: regprofile Handler (libr/core/disasm.c)
  • Function: r_core_seek_arch_bits

Discovery Timeline

  • 2026-07-05 - CVE-2026-14760 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-14760

Vulnerability Analysis

The vulnerability is a use-after-free ([CWE-119]) in the r_core_disasm_pde code path. Radare2 caches a pointer to the PC register item obtained from core->anal->reg before entering the disassembly loop. Inside the loop, operations such as regprofile changes can free or reallocate the underlying RReg structure. Subsequent accesses to the cached RRegItem *pc pointer then reference freed memory. The condition is triggered during pde (print disassembly extended) command execution when the register profile mutates mid-iteration. The EPSS score of this issue is low, but a public exploit reference exists in the upstream issue tracker.

Root Cause

The root cause is a stale pointer retained across an operation that invalidates the referenced object. The original implementation resolved the RReg pointer and its PC register item once, then iterated. When regprofile changes occur inside the loop, the register structure is refreshed, leaving the cached pointer dangling. Dereferencing this pointer produces the use-after-free.

Attack Vector

Exploitation requires local access and low privileges. An attacker must convince a radare2 user to run the pde command against a target where the register profile is altered during iteration, for example via a crafted analysis session or a binary that triggers automatic architecture switching. The attack does not require user interaction beyond running the affected command.

c
// Patch from commit 8b25c773785d85cb0103410a0905089d286921c2
// libr/core/disasm.c - refresh RReg and PC inside the loop

+static RRegItem *pde_refresh_pc(RCore *core, RReg **reg) {
+	*reg = core->anal->reg;
+	return r_reg_get (*reg, "PC", R_REG_TYPE_ALL);
+}
+
 R_API int r_core_disasm_pde(RCore *core, int nb_opcodes, int mode) {
 	// R2R db/cmd/cmd_pde
 	if (nb_opcodes < 1) {
 		return 0;
 	}
-	RReg *reg = core->anal->reg;
-	RRegItem *pc = r_reg_get (reg, "PC", R_REG_TYPE_ALL);
+	RReg *reg;
+	RRegItem *pc = pde_refresh_pc (core, ®);
 	if (!pc) {
 		return -1;
 	}
// Source: https://github.com/radareorg/radare2/commit/8b25c773785d85cb0103410a0905089d286921c2

The patch introduces a helper pde_refresh_pc that re-resolves the RReg pointer and the PC register item, ensuring the pointer is valid after regprofile mutations.

Detection Methods for CVE-2026-14760

Indicators of Compromise

  • Unexpected radare2 process crashes with SIGSEGV or SIGABRT during pde command execution
  • Core dumps referencing r_core_seek_arch_bits or r_core_disasm_pde in the call stack
  • Radare2 sessions loading untrusted binaries followed by abnormal termination

Detection Strategies

  • Inventory installed radare2 versions across analyst workstations and compare against the fixed commit 8b25c773785d85cb0103410a0905089d286921c2
  • Monitor for radare2 crashes and correlate with recently opened files or scripts
  • Enable AddressSanitizer builds of radare2 in malware analysis sandboxes to surface use-after-free conditions before deployment

Monitoring Recommendations

  • Log process termination events for radare2 and r2 binaries with exit codes indicating memory faults
  • Track file provenance for samples loaded into radare2, particularly binaries from untrusted external sources
  • Alert on repeated crash patterns tied to the same input sample across analyst hosts

How to Mitigate CVE-2026-14760

Immediate Actions Required

  • Upgrade radare2 to a version that includes commit 8b25c773785d85cb0103410a0905089d286921c2 or later
  • Restrict use of radare2 to isolated analysis virtual machines or containers when processing untrusted samples
  • Audit shared analyst systems for outdated radare2 installations distributed via package managers or manual builds

Patch Information

The upstream fix is available in the radare2 GitHub repository as commit 8b25c773785d85cb0103410a0905089d286921c2. Additional context is documented in radare2 issue #26044 and the VulDB CVE record. Rebuild radare2 from source after pulling the patched commit or wait for a tagged release beyond 6.1.6.

Workarounds

  • Avoid executing the pde command against binaries or scripts that mutate the register profile during analysis
  • Run radare2 inside a non-privileged, sandboxed account to limit the impact of local memory corruption
  • Disable automated analysis pipelines that invoke radare2 on untrusted input until the patch is applied
bash
# Build patched radare2 from source
git clone https://github.com/radareorg/radare2.git
cd radare2
git checkout 8b25c773785d85cb0103410a0905089d286921c2
./sys/install.sh
r2 -v   # verify updated version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.