CVE-2025-5644: Use After Free in Radare2
A vulnerability, which was classified as problematic, has been found in Radare2 5.9.9. Affected by this issue is the function r_cons_flush in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to use after free. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
AI Analysis
Technical Summary
CVE-2025-5644 is a use-after-free vulnerability identified in Radare2 version 5.9.9, specifically within the function r_cons_flush located in the /libr/cons/cons.c file of the radiff2 component. The vulnerability arises from improper handling of the experimental -T argument, which can lead to memory being freed prematurely and subsequently accessed, causing undefined behavior. Exploitation requires local access with low privileges and does not require user interaction. The attack complexity is high, and exploitation is considered difficult. The vulnerability does not impact confidentiality, integrity, or availability significantly, as indicated by the low CVSS score of 2. The vulnerability has been publicly disclosed, but its practical exploitability remains questionable, with some analysis suggesting the race condition is only problematic when using AddressSanitizer (ASAN). A patch has been committed (identified by the hash 5705d99cc1f23f36f9a84aab26d1724010b97798) to address this issue, and a warning has been added to the documentation noting the experimental and unstable nature of the -T parameter. Overall, this vulnerability is a localized memory management flaw with limited impact and exploitation potential.
Potential Impact
For European organizations, the impact of CVE-2025-5644 is minimal due to several factors. Radare2 is a reverse engineering framework primarily used by security researchers, malware analysts, and developers rather than general enterprise applications. The vulnerability requires local access and low privileges, limiting remote exploitation possibilities. The high complexity and difficulty of exploitation further reduce the risk of widespread attacks. Additionally, the vulnerability does not compromise confidentiality, integrity, or availability in a significant manner. However, organizations that use Radare2 internally for security research or malware analysis could experience crashes or instability if the vulnerable -T parameter is used, potentially disrupting workflows. Given the niche user base and limited exploitability, the overall operational and security impact on European organizations is low.
Mitigation Recommendations
European organizations using Radare2 should take the following specific mitigation steps: 1) Immediately update Radare2 to a version that includes the patch identified by commit 5705d99cc1f23f36f9a84aab26d1724010b97798 or later, ensuring the vulnerability is remediated. 2) Avoid using the experimental -T parameter in radiff2 or any other Radare2 components until the patch is applied and the feature is deemed stable. 3) Implement strict access controls to limit local user access to systems running Radare2, reducing the risk of exploitation by unauthorized users. 4) Monitor internal security tools and workflows for crashes or abnormal behavior related to Radare2 usage, which could indicate attempts to trigger this vulnerability. 5) Educate security analysts and developers about the risks associated with experimental features and encourage cautious use of such parameters. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and usage patterns.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden
CVE-2025-5644: Use After Free in Radare2
Description
A vulnerability, which was classified as problematic, has been found in Radare2 5.9.9. Affected by this issue is the function r_cons_flush in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to use after free. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The name of the patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
AI-Powered Analysis
Technical Analysis
CVE-2025-5644 is a use-after-free vulnerability identified in Radare2 version 5.9.9, specifically within the function r_cons_flush located in the /libr/cons/cons.c file of the radiff2 component. The vulnerability arises from improper handling of the experimental -T argument, which can lead to memory being freed prematurely and subsequently accessed, causing undefined behavior. Exploitation requires local access with low privileges and does not require user interaction. The attack complexity is high, and exploitation is considered difficult. The vulnerability does not impact confidentiality, integrity, or availability significantly, as indicated by the low CVSS score of 2. The vulnerability has been publicly disclosed, but its practical exploitability remains questionable, with some analysis suggesting the race condition is only problematic when using AddressSanitizer (ASAN). A patch has been committed (identified by the hash 5705d99cc1f23f36f9a84aab26d1724010b97798) to address this issue, and a warning has been added to the documentation noting the experimental and unstable nature of the -T parameter. Overall, this vulnerability is a localized memory management flaw with limited impact and exploitation potential.
Potential Impact
For European organizations, the impact of CVE-2025-5644 is minimal due to several factors. Radare2 is a reverse engineering framework primarily used by security researchers, malware analysts, and developers rather than general enterprise applications. The vulnerability requires local access and low privileges, limiting remote exploitation possibilities. The high complexity and difficulty of exploitation further reduce the risk of widespread attacks. Additionally, the vulnerability does not compromise confidentiality, integrity, or availability in a significant manner. However, organizations that use Radare2 internally for security research or malware analysis could experience crashes or instability if the vulnerable -T parameter is used, potentially disrupting workflows. Given the niche user base and limited exploitability, the overall operational and security impact on European organizations is low.
Mitigation Recommendations
European organizations using Radare2 should take the following specific mitigation steps: 1) Immediately update Radare2 to a version that includes the patch identified by commit 5705d99cc1f23f36f9a84aab26d1724010b97798 or later, ensuring the vulnerability is remediated. 2) Avoid using the experimental -T parameter in radiff2 or any other Radare2 components until the patch is applied and the feature is deemed stable. 3) Implement strict access controls to limit local user access to systems running Radare2, reducing the risk of exploitation by unauthorized users. 4) Monitor internal security tools and workflows for crashes or abnormal behavior related to Radare2 usage, which could indicate attempts to trigger this vulnerability. 5) Educate security analysts and developers about the risks associated with experimental features and encourage cautious use of such parameters. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and usage patterns.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-04T12:14:13.808Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 68418437182aa0cae2dccca9
Added to database: 6/5/2025, 11:49:11 AM
Last enriched: 7/7/2025, 3:54:30 AM
Last updated: 8/4/2025, 8:28:15 PM
Views: 10
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.