Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14789

CVE-2026-14789: Radare2 Buffer Overflow Vulnerability

CVE-2026-14789 is a stack-based buffer overflow flaw in Radare2 affecting versions up to 6.1.6 that can be exploited through local manipulation. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-14789 Overview

CVE-2026-14789 is a stack-based buffer overflow vulnerability in the reverse engineering framework radare2 maintained by radareorg. The flaw affects versions up to and including 6.1.6 and resides in the Memory64ListStream parser implementation within libr/bin/format/mdmp/mdmp.c. An attacker with local access can manipulate a crafted Windows minidump (MDMP) file to trigger memory corruption on the stack when the file is parsed. The issue is tracked under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer). Public exploit details are available, and upstream maintainers have released commit 175d4addb68981331c85b10681c2161c38fb5762 to address the flaw.

Critical Impact

Local processing of a malicious MDMP file can corrupt stack memory in the radare2 parser, potentially leading to denial of service or influencing execution flow in analyst environments.

Affected Products

  • radare radare2 versions up to 6.1.6
  • Distributions and packages bundling vulnerable radare2 builds
  • Automated analysis pipelines invoking radare2 on untrusted MDMP samples

Discovery Timeline

  • 2026-07-06 - CVE-2026-14789 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-14789

Vulnerability Analysis

The vulnerability resides in the minidump (MDMP) format handler in libr/bin/format/mdmp/mdmp.c. When radare2 parses the Memory64ListStream stream of a Windows minidump file, the parser performs operations without adequate bounds enforcement on the stack buffer used to hold parsed structures. Supplying a manipulated stream header or entry count causes the parser to write past the intended stack allocation.

Because radare2 is frequently used by malware analysts to inspect untrusted binaries and crash dumps, opening an attacker-supplied MDMP file is a plausible operator action. Successful exploitation can crash the tool, corrupt adjacent stack data, or influence control flow depending on compiler mitigations such as stack canaries and ASLR.

Root Cause

The root cause is missing or insufficient validation of size and count fields inside the Memory64ListStream structure before the parser copies or iterates over stream entries on a fixed-size stack buffer. This aligns with CWE-119, where operations are performed outside the bounds of the intended memory region. The upstream patch 175d4addb68981331c85b10681c2161c38fb5762 corrects the boundary handling in the affected parser.

Attack Vector

Exploitation requires local access and low privileges. An attacker delivers a crafted MDMP file, then a user or automated pipeline loads it in radare2 (for example via r2 sample.dmp). No user interaction beyond opening the file is required once it is on the system. The vulnerability does not expose a network-facing service.

Refer to the upstream discussion in the radare2 issue tracker and the VulDB entry for CVE-2026-14789 for parser-level technical details.

Detection Methods for CVE-2026-14789

Indicators of Compromise

  • Unexpected crashes or SIGSEGV terminations of radare2, r2, or rabin2 processes when opening MDMP files.
  • Presence of MDMP files with malformed or oversized Memory64ListStream headers in analyst working directories.
  • Core dumps produced by radare2 referencing stack corruption inside libr/bin/format/mdmp/mdmp.c frames.

Detection Strategies

  • Inventory hosts running radare2 and compare installed versions against 6.1.6 and earlier.
  • Hunt for command-line invocations of radare2, r2, or rabin2 with .dmp or .mdmp arguments in shell history and process telemetry.
  • Alert on process crash events for radare2 binaries followed by shell or child process activity that deviates from the analyst's baseline.

Monitoring Recommendations

  • Collect EDR process and crash telemetry from analyst workstations and sandbox VMs that run radare2.
  • Monitor file writes of .dmp and .mdmp artifacts from untrusted download sources such as browsers and email clients.
  • Track invocations of radare2 inside automation, CI, or malware triage pipelines and correlate with process termination status codes.

How to Mitigate CVE-2026-14789

Immediate Actions Required

  • Upgrade radare2 to a build that includes commit 175d4addb68981331c85b10681c2161c38fb5762 from the radareorg/radare2 repository.
  • Restrict use of radare2 on untrusted MDMP files to isolated, non-privileged sandbox environments.
  • Remove or quarantine any suspicious .dmp or .mdmp samples pending analysis in a hardened environment.

Patch Information

The upstream fix is delivered as commit 175d4addb68981331c85b10681c2161c38fb5762, which corrects the boundary handling in the Memory64ListStream parser inside libr/bin/format/mdmp/mdmp.c. Rebuild radare2 from source or install a distribution package that incorporates this commit. Verify the fixed version by inspecting the git log of the installed source tree.

Workarounds

  • Avoid opening untrusted MDMP files with vulnerable radare2 builds until the patch is applied.
  • Run radare2 under a low-privileged user account and inside a container or virtual machine when analyzing external samples.
  • Enable compiler and OS hardening such as stack canaries, ASLR, and non-executable stack when building radare2 from source.
bash
# Verify installed radare2 version and rebuild from patched source
r2 -v

git clone https://github.com/radareorg/radare2.git
cd radare2
git log --oneline | grep 175d4addb68981331c85b10681c2161c38fb5762
sys/install.sh

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.