Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-31053

CVE-2026-31053: librz/bin Double Free DoS Vulnerability

CVE-2026-31053 is a double free vulnerability in librz/bin/format/le/le.c that causes heap corruption and application crashes. This post covers the technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-31053 Overview

A double free vulnerability exists in the Rizin reverse engineering framework within the librz/bin/format/le/le.c file, specifically in the le_load_fixup_record() function. When processing malformed or circular LE (Linear Executable) fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated into a service pipeline.

Critical Impact

Applications or services using Rizin to process untrusted LE binaries may be vulnerable to denial-of-service attacks through heap corruption triggered by malformed fixup chains.

Affected Products

  • Rizin reverse engineering framework (versions containing vulnerable le.c implementation)
  • Applications and services integrating Rizin for binary analysis
  • Automated binary analysis pipelines processing untrusted LE executables

Discovery Timeline

  • 2026-04-06 - CVE-2026-31053 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-31053

Vulnerability Analysis

This double free vulnerability (CWE-415) occurs in the LE binary format parser within Rizin. The vulnerability manifests during the processing of fixup records in Linear Executable (LE) format binaries, which is a legacy executable format used primarily in OS/2 and early Windows systems.

When the le_load_fixup_record() function encounters malformed or circular fixup chains, the error handling logic may attempt to free relocation entries that have already been deallocated. This improper memory management leads to heap corruption, which in the observed cases results in application crashes.

The local attack vector means an attacker must be able to provide a malicious LE binary to be processed by a Rizin-based application or service. This is particularly concerning for automated analysis pipelines, malware analysis sandboxes, or any service that accepts and processes untrusted binary files using Rizin.

Root Cause

The root cause is improper memory management in the error handling path of the le_load_fixup_record() function. When processing LE format binaries with malformed or circular fixup chains, the code fails to properly track which memory allocations have already been freed, leading to a double free condition. This is a classic memory safety issue where the cleanup logic during error handling does not account for all possible states of partially processed data.

Attack Vector

The attack requires local access and involves providing a specially crafted LE binary file to a Rizin-based application. The exploitation scenario includes:

  1. An attacker creates a malicious LE binary with deliberately malformed or circular fixup chains
  2. The victim application processes this binary using Rizin's LE format parser
  3. The le_load_fixup_record() function encounters the malformed data and enters error handling
  4. During cleanup, relocation entries are freed multiple times, corrupting the heap
  5. The heap corruption causes the application to crash, resulting in denial of service

For services integrated in analysis pipelines, this could be exploited to disrupt automated malware analysis or binary inspection workflows. The vulnerability mechanism is detailed in GitHub Issue #5753.

Detection Methods for CVE-2026-31053

Indicators of Compromise

  • Unexpected crashes in Rizin or Rizin-based applications when processing LE format binaries
  • Heap corruption error messages or segmentation faults during binary analysis operations
  • Abnormal termination of automated binary analysis pipelines without clear cause

Detection Strategies

  • Monitor for application crashes with heap corruption signatures in Rizin-based tools
  • Implement input validation to detect potentially malformed LE binary fixup chains before processing
  • Enable AddressSanitizer (ASan) in development and testing environments to catch double free conditions early

Monitoring Recommendations

  • Log all binary analysis operations and correlate with application stability metrics
  • Set up alerting for repeated crashes in binary analysis services
  • Monitor memory allocation patterns for anomalies when processing untrusted binaries

How to Mitigate CVE-2026-31053

Immediate Actions Required

  • Update Rizin to a patched version that addresses the double free vulnerability
  • Restrict processing of untrusted LE format binaries until patches are applied
  • Implement process isolation for binary analysis operations to contain potential crashes
  • Review service integrations to ensure failures are handled gracefully without broader impact

Patch Information

The Rizin development team has addressed this vulnerability through Pull Request #5795. Users should update to the latest version of Rizin that includes this fix. The patch corrects the memory management logic in le_load_fixup_record() to properly track freed allocations and prevent double free conditions.

Workarounds

  • Run Rizin-based binary analysis in isolated containers or sandboxes to limit denial-of-service impact
  • Implement pre-validation checks on LE binaries before passing them to Rizin for analysis
  • Configure service monitoring and automatic restart capabilities for analysis pipelines
  • Consider disabling LE format support if not required for your use case
bash
# Configuration example - Run Rizin in isolated container for untrusted binaries
docker run --rm --memory=512m --cpus=1 \
  -v /path/to/untrusted:/analysis:ro \
  rizin/rizin:latest rz-bin -I /analysis/suspect.exe

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.