CVE-2026-14788 Overview
CVE-2026-14788 is a use-after-free vulnerability in radare2, the open-source reverse engineering framework maintained by radareorg. The flaw resides in the r_core_bin_load function within libr/core/cfile.c and affects radare2 versions up to 6.1.6. Exploitation requires local access with low privileges and no user interaction. The vulnerability is tracked under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). A public exploit has been disclosed, and the maintainers have released a patch identified by commit hash 635ab1eeb30340c26076722a90cb91fb2272130b.
Critical Impact
Local attackers can trigger a use-after-free condition during binary loading, potentially leading to process crashes or memory corruption in radare2 sessions.
Affected Products
- radare2 versions up to and including 6.1.6
- The libr/core/cfile.c component of the radare2 framework
- The r_core_bin_load function used during binary loading operations
Discovery Timeline
- 2026-07-06 - CVE-2026-14788 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-14788
Vulnerability Analysis
The vulnerability is a use-after-free condition triggered when radare2 loads a binary through r_core_bin_load in libr/core/cfile.c. The function manages an RIODesc descriptor pointer during binary loading. When the load path executes with cmd.load behavior, the code retains a stale pointer to a descriptor that has already been released. Subsequent operations dereference the freed memory, corrupting the heap state of the radare2 process.
The issue was tracked in the radare2 project as GitHub Issue #26049, titled "cmd.load descriptor UAF in bin load." Because radare2 is commonly used to analyze untrusted binaries during malware research and reverse engineering, a crafted input file can reliably reach the vulnerable code path.
Root Cause
The root cause is unsafe descriptor lifetime management within r_core_bin_load. The original code stored an RIODesc *odesc pointer alongside a separate RIODesc *mustclose pointer, allowing the descriptor to be freed while odesc remained in use. The patched version replaces the mustclose pointer with a boolean flag and captures the descriptor file identifier odesc_fd up front, preventing later dereferences of a released descriptor.
Attack Vector
Exploitation requires local access to a system running a vulnerable radare2 build. An attacker supplies a specially crafted binary that the victim opens in radare2, causing the vulnerable code path in r_core_bin_load to execute. The attack does not require elevated privileges or user interaction beyond loading the file.
r->bin->options.minstrlen = r_config_get_i (r->config, "bin.str.min");
r->bin->options.maxstrbuf = r_config_get_i (r->config, "bin.str.maxbuf");
R_CRITICAL_LEAVE (r);
- RIODesc *odesc = NULL;
- RIODesc *mustclose = NULL;
- odesc = r->io->desc;
+ RIODesc *odesc = r->io->desc;
+ bool mustclose = false;
+ const int odesc_fd = odesc? odesc->fd: -1;
if (desc && is_io_load) {
int desc_fd = desc->fd;
// TODO? necessary to restore the desc back?
Source: GitHub Commit 635ab1e. This patch fixes the descriptor lifetime bug by tracking the file descriptor ID separately and replacing the raw mustclose pointer with a boolean.
Detection Methods for CVE-2026-14788
Indicators of Compromise
- Unexpected crashes or segmentation faults from radare2 (r2) processes when loading untrusted binaries
- Presence of radare2 binary versions at or below 6.1.6 on analyst workstations or automated analysis pipelines
- Suspicious binary files staged in reverse engineering directories that trigger repeatable crashes on load
Detection Strategies
- Inventory installed radare2 versions across analyst workstations and CI/CD pipelines to identify builds prior to the fix commit 635ab1eeb30340c26076722a90cb91fb2272130b.
- Monitor for process crash telemetry involving radare2, r2, or embedded libr components, especially when correlated with newly introduced binary samples.
- Review shell history and command-line logs for r2 invocations against files sourced from untrusted locations.
Monitoring Recommendations
- Enable core dump collection on reverse engineering hosts to capture use-after-free crashes for forensic analysis.
- Track file provenance for samples loaded into radare2 sessions, alerting on binaries originating from external email, chat, or web downloads.
- Correlate abnormal radare2 process terminations with local user activity to identify potential exploitation attempts.
How to Mitigate CVE-2026-14788
Immediate Actions Required
- Update radare2 to a build that includes commit 635ab1eeb30340c26076722a90cb91fb2272130b or a released version newer than 6.1.6.
- Restrict use of vulnerable radare2 builds to isolated analysis environments such as disposable virtual machines or containers.
- Avoid opening untrusted binaries with affected radare2 versions until the patch is applied.
Patch Information
The fix is available in the upstream radare2 repository as commit 635ab1eeb30340c26076722a90cb91fb2272130b, addressing GitHub Issue #26049. Rebuild radare2 from the official repository after pulling the patched sources, or install a distribution package that incorporates the fix.
Workarounds
- Run radare2 inside a sandboxed container or virtual machine with no access to sensitive data or credentials.
- Enforce least-privilege user accounts for reverse engineering workflows to limit the blast radius of a local compromise.
- Pre-screen unknown binaries with static file-format validation tools before loading them into radare2.
# Configuration example: rebuild radare2 from patched sources
git clone https://github.com/radareorg/radare2.git
cd radare2
git log --oneline | grep 635ab1e # confirm patch commit is present
sys/install.sh
r2 -v # verify patched version is running
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

