CVE-2026-31053 Overview
A double free vulnerability exists in the Rizin reverse engineering framework within the librz/bin/format/le/le.c file, specifically in the le_load_fixup_record() function. When processing malformed or circular LE (Linear Executable) fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated into a service pipeline.
Critical Impact
Applications or services using Rizin to process untrusted LE binaries may be vulnerable to denial-of-service attacks through heap corruption triggered by malformed fixup chains.
Affected Products
- Rizin reverse engineering framework (versions containing vulnerable le.c implementation)
- Applications and services integrating Rizin for binary analysis
- Automated binary analysis pipelines processing untrusted LE executables
Discovery Timeline
- 2026-04-06 - CVE-2026-31053 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-31053
Vulnerability Analysis
This double free vulnerability (CWE-415) occurs in the LE binary format parser within Rizin. The vulnerability manifests during the processing of fixup records in Linear Executable (LE) format binaries, which is a legacy executable format used primarily in OS/2 and early Windows systems.
When the le_load_fixup_record() function encounters malformed or circular fixup chains, the error handling logic may attempt to free relocation entries that have already been deallocated. This improper memory management leads to heap corruption, which in the observed cases results in application crashes.
The local attack vector means an attacker must be able to provide a malicious LE binary to be processed by a Rizin-based application or service. This is particularly concerning for automated analysis pipelines, malware analysis sandboxes, or any service that accepts and processes untrusted binary files using Rizin.
Root Cause
The root cause is improper memory management in the error handling path of the le_load_fixup_record() function. When processing LE format binaries with malformed or circular fixup chains, the code fails to properly track which memory allocations have already been freed, leading to a double free condition. This is a classic memory safety issue where the cleanup logic during error handling does not account for all possible states of partially processed data.
Attack Vector
The attack requires local access and involves providing a specially crafted LE binary file to a Rizin-based application. The exploitation scenario includes:
- An attacker creates a malicious LE binary with deliberately malformed or circular fixup chains
- The victim application processes this binary using Rizin's LE format parser
- The le_load_fixup_record() function encounters the malformed data and enters error handling
- During cleanup, relocation entries are freed multiple times, corrupting the heap
- The heap corruption causes the application to crash, resulting in denial of service
For services integrated in analysis pipelines, this could be exploited to disrupt automated malware analysis or binary inspection workflows. The vulnerability mechanism is detailed in GitHub Issue #5753.
Detection Methods for CVE-2026-31053
Indicators of Compromise
- Unexpected crashes in Rizin or Rizin-based applications when processing LE format binaries
- Heap corruption error messages or segmentation faults during binary analysis operations
- Abnormal termination of automated binary analysis pipelines without clear cause
Detection Strategies
- Monitor for application crashes with heap corruption signatures in Rizin-based tools
- Implement input validation to detect potentially malformed LE binary fixup chains before processing
- Enable AddressSanitizer (ASan) in development and testing environments to catch double free conditions early
Monitoring Recommendations
- Log all binary analysis operations and correlate with application stability metrics
- Set up alerting for repeated crashes in binary analysis services
- Monitor memory allocation patterns for anomalies when processing untrusted binaries
How to Mitigate CVE-2026-31053
Immediate Actions Required
- Update Rizin to a patched version that addresses the double free vulnerability
- Restrict processing of untrusted LE format binaries until patches are applied
- Implement process isolation for binary analysis operations to contain potential crashes
- Review service integrations to ensure failures are handled gracefully without broader impact
Patch Information
The Rizin development team has addressed this vulnerability through Pull Request #5795. Users should update to the latest version of Rizin that includes this fix. The patch corrects the memory management logic in le_load_fixup_record() to properly track freed allocations and prevent double free conditions.
Workarounds
- Run Rizin-based binary analysis in isolated containers or sandboxes to limit denial-of-service impact
- Implement pre-validation checks on LE binaries before passing them to Rizin for analysis
- Configure service monitoring and automatic restart capabilities for analysis pipelines
- Consider disabling LE format support if not required for your use case
# Configuration example - Run Rizin in isolated container for untrusted binaries
docker run --rm --memory=512m --cpus=1 \
-v /path/to/untrusted:/analysis:ro \
rizin/rizin:latest rz-bin -I /analysis/suspect.exe
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
