CVE-2026-31053
Double Free in librz LE Loader Causes Denial of Service
Publication date: 2026-04-06
Last updated on: 2026-04-14
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rizin | rizin | 0.8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-415 | The product calls free() twice on the same memory address. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the rizin binary analysis tool on potentially crafted LE (Linear Executable) binaries and observing if the application crashes due to heap corruption or double free errors.
A suggested command to reproduce the issue is to run rizin with aggressive analysis flags on a crafted binary file, for example:
- rizin -AAA <crafted_LE_binary>
If the tool crashes with a segmentation fault or reports heap corruption, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the rizin tool to a version that includes the fix for this vulnerability, specifically version 0.8.2 or later.
The fix involves correcting the memory deallocation routine in the handling of LE relocation entries to prevent double free and heap corruption.
Until the update is applied, avoid processing untrusted or malformed LE binaries with rizin, especially in automated service pipelines, to prevent denial-of-service crashes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-31053 is a double free vulnerability in the Rizin binary analysis framework, specifically in the function le_load_fixup_record() within librz/bin/format/le/le.c. The issue occurs when processing malformed or circular Linear Executable (LE) fixup chains, causing relocation entries to be freed multiple times during error handling. This improper memory deallocation leads to heap corruption and use-after-free errors.
The root cause was that the function rz_bin_reloc_free was incorrectly called on LE_reloc structures instead of the appropriate free function, resulting in heap corruption and potential crashes. This vulnerability can be triggered by a specially crafted LE binary file.
How can this vulnerability impact me? :
An attacker can exploit this vulnerability by supplying a specially crafted LE binary to the Rizin tool, causing it to crash due to heap corruption and use-after-free errors.
This results in a denial-of-service (DoS) condition, which can disrupt services, especially if Rizin is integrated into automated service pipelines or used in environments processing untrusted binaries.