CVE-2025-5641 is a memory corruption vulnerability identified in Radare2 version 5.9.9, specifically within the function r_cons_is_breaked located in the radiff2 component's /libr/cons/cons.c file. The vulnerability arises from improper handling of the experimental -T argument, which can lead to memory corruption when manipulated. Radare2 is an open-source reverse engineering framework widely used for binary analysis and debugging. The vulnerability requires local access to the host to be exploited, and the attack complexity is considered high, with exploitation known to be difficult. The vulnerability does not require user interaction but does require low-level privileges (local privileges) to execute. The issue is compounded by threading concerns, although the race condition is not considered a significant problem unless AddressSanitizer (ASAN) is used. A patch identified by commit 5705d99cc1f23f36f9a84aab26d1724010b97798 has been released to address this issue. Despite public disclosure of the exploit, the real-world existence and impact of this vulnerability remain somewhat uncertain. The CVSS v4.0 score is low (2.0), reflecting limited impact and high attack complexity. The vulnerability affects only Radare2 version 5.9.9, and the -T parameter is marked as experimental and unstable, which may limit exposure in production environments.

For European organizations, the impact of CVE-2025-5641 is generally low due to several factors: the vulnerability requires local access and low privileges, making remote exploitation infeasible; the attack complexity is high, reducing the likelihood of successful exploitation; and the affected feature (-T parameter) is experimental and not commonly used in production settings. However, organizations that use Radare2 extensively for reverse engineering, malware analysis, or security research could face risks if untrusted users gain local access to systems running the vulnerable version. Memory corruption could potentially lead to application crashes or limited code execution scenarios, which might disrupt analysis workflows or lead to denial of service in sensitive environments. Since Radare2 is popular among security professionals and researchers, the vulnerability could be leveraged in targeted attacks within organizations that rely on this tool, especially if combined with other vulnerabilities or insider threats. Overall, the direct impact on confidentiality, integrity, and availability is limited but should not be ignored in high-security or research environments.

1. Immediate application of the official patch identified by commit 5705d99cc1f23f36f9a84aab26d1724010b97798 to Radare2 version 5.9.9 is strongly recommended to eliminate the vulnerability. 2. Avoid using the experimental -T parameter in Radare2 until the patch is applied and the feature is deemed stable. 3. Restrict local access to systems running Radare2 to trusted users only, employing strict access controls and monitoring to prevent unauthorized local exploitation attempts. 4. Implement host-based intrusion detection systems (HIDS) to detect anomalous behavior or crashes related to Radare2 processes. 5. Conduct regular audits of installed software versions and configurations to ensure no vulnerable Radare2 instances are in use. 6. Educate security analysts and researchers about the risks associated with experimental features and encourage the use of stable releases in production or sensitive environments. 7. If AddressSanitizer is used in testing or development environments, be aware of the threading warnings and potential race conditions to avoid false positives or overlooked issues.