CVE-2025-5645 is a memory corruption vulnerability identified in Radare2 version 5.9.9, specifically within the function r_cons_pal_init located in the /libr/cons/pal.c file of the radiff2 component. The vulnerability arises from improper handling of the -T argument, which is an experimental parameter described as "crashy" in the documentation. When manipulated, this argument can lead to memory corruption. The attack vector is local, meaning an attacker must have local access to the system to exploit the flaw. The complexity of exploitation is high, and the exploitability is considered difficult. There is no requirement for user interaction, and the attacker needs low privileges to attempt exploitation. The vulnerability does not impact confidentiality, integrity, or availability in a significant way, as reflected by the low CVSS score of 2.0 (CVSS 4.0 vector: AV:L/AC:H/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N). The vulnerability's existence has been questioned, and no known exploits have been observed in the wild. A patch identified by commit 5705d99cc1f23f36f9a84aab26d1724010b97798 has been recommended to address the issue. Additional analysis notes that race conditions are not a concern unless AddressSanitizer (ASAN) is used, and a warning has been added to the codebase to highlight the experimental and unstable nature of the -T parameter. Overall, this vulnerability is a low-severity local memory corruption issue affecting a niche reverse engineering tool, with limited practical exploitation potential.

For European organizations, the impact of CVE-2025-5645 is expected to be minimal. Radare2 is an open-source reverse engineering framework primarily used by security researchers, malware analysts, and software developers for binary analysis and debugging. Its use is specialized and not widespread in general enterprise environments. The vulnerability requires local access and low privileges, which limits the attack surface. Since exploitation is difficult and no known exploits exist in the wild, the risk of this vulnerability being leveraged in targeted attacks is low. However, organizations that rely on Radare2 for security research or incident response should be aware of the potential for local privilege escalation or denial of service if the vulnerability is exploited. The memory corruption could lead to application crashes or instability, potentially disrupting analysis workflows. Confidentiality, integrity, and availability impacts on broader organizational IT infrastructure are negligible. Overall, the threat posed by this vulnerability to European organizations is low, but it is advisable for teams using Radare2 to apply the patch to maintain tool stability and security hygiene.

1. Apply the patch identified by commit 5705d99cc1f23f36f9a84aab26d1724010b97798 promptly to Radare2 version 5.9.9 or upgrade to a later version where this issue is resolved. 2. Avoid using the experimental -T parameter in Radare2 unless absolutely necessary, as it is known to be unstable and prone to causing crashes. 3. Restrict local access to systems running Radare2 to trusted users only, minimizing the risk of unauthorized exploitation. 4. Implement strict user privilege management to ensure that only authorized personnel have the ability to execute Radare2 and manipulate its parameters. 5. Monitor usage of Radare2 in your environment for unusual activity or crashes that could indicate attempted exploitation. 6. If AddressSanitizer (ASAN) is used in development or testing environments, be aware that race conditions related to this vulnerability may be more pronounced; apply additional scrutiny in these contexts. 7. Educate security and development teams about the experimental nature of certain Radare2 features and encourage cautious use.