CVE-2026-4174
Awaiting Analysis Awaiting Analysis - Queue
Resource Consumption in Radare2 Mach-O Parser (walk_exports_trie

Publication date: 2026-03-16

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS".
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4174
EUVD
EUVD-2026-12222
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
radare2 radare2 5.9.9
radare2 radare2 From 6.1.2 (inc)
radare2 radare2 6.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Radare2 version 5.9.9, specifically in the function walk_exports_trie within the Mach-O File Parser component. It leads to resource consumption when exploited.

The attack can only be performed locally, and although the exploit has been publicly disclosed, the existence of the vulnerability is still disputed by the code maintainer, who does not consider it a denial-of-service (DoS) issue.

Upgrading Radare2 to version 6.1.2 addresses this issue.

Impact Analysis

The vulnerability can lead to resource consumption on the affected system when exploited locally.

Given the low CVSS scores (v2.0 BaseScore 1.7, v3.1 BaseScore 3.3), the impact is limited and does not affect confidentiality or integrity, only availability to a minor extent.

Since the attack requires local access, remote exploitation is not possible.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Radare2 to version 6.1.2, which addresses the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart