CVE-2026-4174 Overview
A resource consumption vulnerability has been discovered in Radare2 version 5.9.9, affecting the walk_exports_trie function within the Mach-O file parser component (libr/bin/format/mach0/mach0.c). This vulnerability allows local attackers to trigger excessive resource consumption by providing specially crafted Mach-O files, potentially leading to denial of service conditions.
Critical Impact
Local attackers can cause resource exhaustion in Radare2 by supplying maliciously crafted Mach-O binary files, impacting availability of the reverse engineering tool. Note: The existence of this vulnerability is disputed by the code maintainer.
Affected Products
- Radare2 version 5.9.9
- Radare2 versions prior to 6.1.2
Discovery Timeline
- 2026-03-16 - CVE CVE-2026-4174 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-4174
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption). The flaw exists within the Mach-O file parsing functionality of Radare2, specifically in the walk_exports_trie function located in libr/bin/format/mach0/mach0.c. When processing specially crafted Mach-O binary files, the parser can enter a state of excessive resource consumption, potentially exhausting system resources.
The attack requires local access to the target system, meaning an attacker must be able to provide a malicious Mach-O file that will be processed by Radare2. This limits the attack surface but remains relevant in scenarios where Radare2 is used to analyze untrusted binaries.
It is important to note that this vulnerability is disputed by the code maintainer, who states that they "wont consider this bug a DoS." However, the issue has been addressed in version 6.1.2.
Root Cause
The root cause lies in inadequate resource management within the walk_exports_trie function when parsing the exports trie structure in Mach-O binary files. The function fails to properly limit resource consumption when processing malformed or specially crafted export trie data, allowing an attacker to trigger excessive CPU or memory usage through manipulated input.
Attack Vector
The attack vector is local, requiring the attacker to provide a malicious Mach-O file to a Radare2 instance for analysis. The exploitation scenario typically involves:
- Crafting a malicious Mach-O binary with specially manipulated exports trie data
- Providing the crafted file to a Radare2 instance (either directly or through social engineering)
- The vulnerable walk_exports_trie function processes the malicious data, leading to resource exhaustion
A proof-of-concept file generator has been publicly disclosed. Technical details and the PoC can be found in the GitHub Issue Discussion and the associated PoC file.
Detection Methods for CVE-2026-4174
Indicators of Compromise
- Unusual CPU or memory spikes when Radare2 processes Mach-O binary files
- Radare2 processes becoming unresponsive during file analysis operations
- System resource exhaustion events coinciding with Mach-O file parsing activities
Detection Strategies
- Monitor Radare2 process resource consumption for anomalous behavior during file analysis
- Implement file integrity monitoring for Mach-O binaries before analysis
- Deploy process monitoring to detect Radare2 instances consuming excessive resources
- Review analysis logs for unusual patterns when processing untrusted binaries
Monitoring Recommendations
- Set resource limits (ulimit) on Radare2 processes to prevent system-wide impact
- Implement process monitoring alerts for abnormal CPU/memory consumption by r2 processes
- Monitor for repeated crashes or hangs of Radare2 during binary analysis workflows
How to Mitigate CVE-2026-4174
Immediate Actions Required
- Upgrade Radare2 to version 6.1.2 or later, which addresses this vulnerability
- Avoid analyzing untrusted Mach-O files with vulnerable versions of Radare2
- Implement resource limits on Radare2 processes using operating system controls
- Consider running Radare2 in sandboxed or containerized environments when analyzing untrusted binaries
Patch Information
The vulnerability has been addressed in Radare2 version 6.1.2. The specific fix is available in commit 4371ae84c99c46b48cb21badbbef06b30757aba0. Users should upgrade to the patched version to remediate this vulnerability.
- GitHub Commit Reference - Contains the patch addressing this vulnerability
- GitHub Milestone Overview - Release milestone including the fix
Workarounds
- Run Radare2 with resource limits using ulimit or cgroups to prevent system-wide impact
- Use containerization (Docker, Podman) to isolate Radare2 analysis of untrusted files
- Pre-validate Mach-O files using alternative tools before analysis with Radare2
# Example: Running Radare2 with resource limits
# Limit virtual memory to 2GB and CPU time to 60 seconds
ulimit -v 2097152
ulimit -t 60
r2 suspicious_file.macho
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
