Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14787

CVE-2026-14787: Radare2 Buffer Overflow Vulnerability

CVE-2026-14787 is a buffer overflow flaw in Radare2 affecting versions up to 6.1.6. The vulnerability exists in the cmd_print function and can be exploited locally. This article covers technical details, impact, and mitigations.

Published:

CVE-2026-14787 Overview

CVE-2026-14787 is an integer overflow vulnerability in radare2, the open-source reverse engineering framework maintained by radareorg. The flaw resides in the cmd_print function within libr/core/cmd_print.inc, specifically in the pb print command handler. Attackers with local access can trigger the overflow by supplying a crafted length value that exceeds safe boundaries during buffer size calculation. The vulnerability affects radare2 versions up to and including 6.1.6. A patch has been published upstream under commit 2b6265476c75567006b0fcbb749f4ae7b189c5df.

Critical Impact

Local exploitation of the integer overflow in the pb command handler can cause radare2 to crash, disrupting reverse engineering workflows and potentially enabling memory corruption conditions.

Affected Products

  • radare2 versions up to and including 6.1.6
  • Distributions bundling vulnerable libr/core builds
  • Downstream tools and plugins linking against affected radare2 libraries

Discovery Timeline

  • 2026-07-06 - CVE-2026-14787 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-14787

Vulnerability Analysis

The vulnerability is an integer overflow classified under [CWE-189] in the pb print command handler of radare2. When a user invokes the pb command with a large len argument, the code computes size = len * 8 without validating the input against integer boundaries. This multiplication can wrap around, producing a small or negative size value that is then passed to malloc. The resulting undersized buffer allows subsequent writes to overflow allocated memory.

Exploitation requires local access and low privileges. The attacker must interact with radare2 directly, either by running the tool against a crafted target or by feeding malicious command input during an analysis session.

Root Cause

The root cause is missing bounds validation before multiplying user-controlled length values. The fix introduces a check that rejects negative values and values exceeding ST32_MAX / 8, preventing the multiplication from overflowing.

Attack Vector

A local attacker supplies a malicious length parameter to the pb command. The unchecked arithmetic produces an incorrect buffer size, leading to a crash or memory corruption. Public exploit information is referenced in the upstream issue tracker.

c
// Patch: libr/core/cmd_print.inc.c - Fix #26048 integer overflow in pb
 	if (input[1] == '?') {
 		r_core_cmd_help_match (core, help_msg_p, "pb");
 	} else if (l != 0) {
+		if (len < 0 || len > ST32_MAX / 8) {
+			R_LOG_ERROR ("Invalid length");
+			return;
+		}
 		int from, to;
 		const int size = len * 8;
 		char *spc, *buf = malloc (size + 1);
// Source: https://github.com/phix33/radare2/commit/2b6265476c75567006b0fcbb749f4ae7b189c5df

Detection Methods for CVE-2026-14787

Indicators of Compromise

  • Unexpected crashes of radare2 processes during pb command execution
  • Core dumps referencing cmd_print in libr/core/cmd_print.inc
  • Presence of radare2 binaries at or below version 6.1.6 on analyst workstations

Detection Strategies

  • Inventory installed radare2 versions across engineering and forensics endpoints and flag builds up to 6.1.6.
  • Monitor for repeated abnormal terminations of radare2 processes correlated with local user activity.
  • Review shell history and process telemetry for pb commands accompanied by unusually large numeric arguments.

Monitoring Recommendations

  • Enable process crash and core-dump collection on systems where analysts run radare2.
  • Alert on execution of radare2 binaries from unexpected paths or by non-analyst accounts.
  • Track package manager events that install or update radare2 to confirm patched versions are deployed.

How to Mitigate CVE-2026-14787

Immediate Actions Required

  • Update radare2 to a release containing commit 2b6265476c75567006b0fcbb749f4ae7b189c5df or newer.
  • Restrict radare2 execution to trusted analyst accounts on shared systems.
  • Avoid opening untrusted scripts or .r2 command files in vulnerable radare2 installations.

Patch Information

The upstream fix is available in the radare2 patch commit, which adds validation rejecting len values that are negative or greater than ST32_MAX / 8. Additional context is available in GitHub Issue #26048 and the VulDB entry for CVE-2026-14787.

Workarounds

  • Refrain from executing the pb command with untrusted or attacker-controlled length arguments until patched.
  • Run radare2 inside a sandbox or container to contain crashes and limit blast radius.
  • Remove radare2 from systems where it is not actively required for analysis workflows.
bash
# Verify installed radare2 version and update from source
r2 -v
git clone https://github.com/radareorg/radare2.git
cd radare2
sys/install.sh

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.