CVE-2026-14786
Received Received - Intake

Integer Overflow in radare2

Vulnerability report for CVE-2026-14786, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A security flaw has been discovered in radareorg radare2 up to 6.1.6. This impacts the function r_str_word_get0set of the file libr/util/str.c. The manipulation results in integer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 11ac224c0eb8d57830fccc99e1c1cd8e5d958813. It is best practice to apply a patch to resolve this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
radareorg radare2 to 6.1.6 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-189
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the radareorg radare2 project, specifically in the function r_str_word_get0set within the file libr/util/str.c. It is caused by improper handling of string lengths and buffer size calculations, leading to an integer overflow during memory allocation.

The overflow happens because the function uses signed integer arithmetic incorrectly when calculating the size of memory to allocate. For example, when given an input string length near INT_MAX and a small replacement string, the calculation wraps around, resulting in an invalid allocation size that can cause memory corruption or crashes.

The patch fixes this by introducing stricter validation, using safe size types (size_t), checking for negative values, and ensuring the total allocation size does not exceed safe limits.

Impact Analysis

This vulnerability can lead to memory corruption or crashes in the radare2 software when exploited locally. An attacker with local access can trigger the integer overflow to cause unexpected behavior, potentially destabilizing the application.

Since the exploit has been publicly released, it increases the risk of attacks that could disrupt normal operations or cause denial of service by crashing the program.

Detection Guidance

This vulnerability occurs in the function r_str_word_get0set of radare2 and involves an integer overflow during memory allocation. Detection involves identifying if the vulnerable version of radare2 (up to 6.1.6) is present on the system.

Since the exploit requires local access and triggers an allocation size overflow, detection can be attempted by running radare2 with inputs designed to trigger the overflow, such as very large strings close to INT_MAX length, and monitoring for crashes or AddressSanitizer errors.

A practical approach is to check the installed radare2 version and verify if it is older than the patched commit (11ac224c0eb8d57830fccc99e1c1cd8e5d958813).

  • Check radare2 version: `radare2 -v`
  • Run radare2 with a crafted input to test for the overflow (requires a proof-of-concept script as referenced in Resource 3).
  • Monitor system logs or AddressSanitizer output for allocation size errors or crashes related to radare2.
Mitigation Strategies

The primary mitigation step is to apply the patch identified by commit 11ac224c0eb8d57830fccc99e1c1cd8e5d958813 to the radare2 installation.

This patch fixes the integer overflow by adding strict validation of string lengths and allocation sizes, preventing unsafe memory operations.

If patching immediately is not possible, restrict local access to radare2 to trusted users only, as the attack requires local initiation.

  • Update radare2 to a version including the patch from commit 11ac224c0eb8d57830fccc99e1c1cd8e5d958813.
  • Limit local user permissions to prevent untrusted users from executing radare2.
  • Monitor for unusual crashes or AddressSanitizer alerts related to radare2.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14786. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart