CVE-2025-5647: Memory Corruption in Radare2
A vulnerability was found in Radare2 5.9.9 and classified as problematic. This issue affects the function r_cons_context_break_pop in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
AI Analysis
Technical Summary
CVE-2025-5647 is a memory corruption vulnerability identified in Radare2 version 5.9.9, specifically within the radiff2 component's function r_cons_context_break_pop located in the /libr/cons/cons.c source file. The vulnerability arises from improper handling of the '-T' argument, which is documented as experimental and prone to causing crashes. When this argument is manipulated, it can lead to memory corruption. Exploitation requires local access to the system, and the attack complexity is considered high due to the difficulty in reliably triggering the vulnerability. The vulnerability does not require user interaction but does require low-level privileges (local privileges) to execute. The vulnerability has been publicly disclosed, and a patch has been made available under the commit identifier 5705d99cc1f23f36f9a84aab26d1724010b97798. However, the real existence of the vulnerability has been questioned, and further analysis suggests that race conditions are not a significant concern unless AddressSanitizer (ASan) is used. A new warning has been added to the software to highlight the instability of the '-T' parameter. The CVSS v4.0 base score is 2.0, indicating a low severity level, primarily due to the requirement for local access, high attack complexity, and limited impact on confidentiality, integrity, and availability. No known exploits are currently active in the wild.
Potential Impact
For European organizations, the impact of this vulnerability is limited due to several factors. Radare2 is an open-source reverse engineering framework primarily used by security researchers, malware analysts, and developers rather than mainstream enterprise applications. The requirement for local access and low privileges reduces the risk of remote exploitation or widespread compromise. However, organizations that rely on Radare2 for internal security analysis or software debugging could face stability issues or potential memory corruption leading to denial of service or application crashes. In environments where Radare2 is used on sensitive systems, an attacker with local access could potentially leverage this vulnerability to disrupt analysis workflows or cause application instability. The low severity and high complexity of exploitation mean that the vulnerability is unlikely to be a significant vector for large-scale attacks within European enterprises. Nonetheless, organizations should remain vigilant, especially those involved in cybersecurity research or software development that utilize Radare2.
Mitigation Recommendations
European organizations using Radare2 version 5.9.9 should apply the official patch identified by commit 5705d99cc1f23f36f9a84aab26d1724010b97798 to remediate the vulnerability. Given the experimental nature of the '-T' parameter, it is advisable to avoid using this argument in production or critical environments until the software is confirmed stable. Organizations should enforce strict access controls to limit local access to systems running Radare2, ensuring only authorized personnel can execute the tool. Monitoring and logging local user activities involving Radare2 can help detect any anomalous usage patterns. Additionally, integrating AddressSanitizer or similar memory debugging tools during development and testing phases can help identify potential memory corruption issues early. Regularly updating Radare2 to the latest stable versions and subscribing to security advisories related to the tool will further reduce exposure to similar vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2025-5647: Memory Corruption in Radare2
Description
A vulnerability was found in Radare2 5.9.9 and classified as problematic. This issue affects the function r_cons_context_break_pop in the library /libr/cons/cons.c of the component radiff2. The manipulation of the argument -T leads to memory corruption. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is named 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply a patch to fix this issue. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.
AI-Powered Analysis
Technical Analysis
CVE-2025-5647 is a memory corruption vulnerability identified in Radare2 version 5.9.9, specifically within the radiff2 component's function r_cons_context_break_pop located in the /libr/cons/cons.c source file. The vulnerability arises from improper handling of the '-T' argument, which is documented as experimental and prone to causing crashes. When this argument is manipulated, it can lead to memory corruption. Exploitation requires local access to the system, and the attack complexity is considered high due to the difficulty in reliably triggering the vulnerability. The vulnerability does not require user interaction but does require low-level privileges (local privileges) to execute. The vulnerability has been publicly disclosed, and a patch has been made available under the commit identifier 5705d99cc1f23f36f9a84aab26d1724010b97798. However, the real existence of the vulnerability has been questioned, and further analysis suggests that race conditions are not a significant concern unless AddressSanitizer (ASan) is used. A new warning has been added to the software to highlight the instability of the '-T' parameter. The CVSS v4.0 base score is 2.0, indicating a low severity level, primarily due to the requirement for local access, high attack complexity, and limited impact on confidentiality, integrity, and availability. No known exploits are currently active in the wild.
Potential Impact
For European organizations, the impact of this vulnerability is limited due to several factors. Radare2 is an open-source reverse engineering framework primarily used by security researchers, malware analysts, and developers rather than mainstream enterprise applications. The requirement for local access and low privileges reduces the risk of remote exploitation or widespread compromise. However, organizations that rely on Radare2 for internal security analysis or software debugging could face stability issues or potential memory corruption leading to denial of service or application crashes. In environments where Radare2 is used on sensitive systems, an attacker with local access could potentially leverage this vulnerability to disrupt analysis workflows or cause application instability. The low severity and high complexity of exploitation mean that the vulnerability is unlikely to be a significant vector for large-scale attacks within European enterprises. Nonetheless, organizations should remain vigilant, especially those involved in cybersecurity research or software development that utilize Radare2.
Mitigation Recommendations
European organizations using Radare2 version 5.9.9 should apply the official patch identified by commit 5705d99cc1f23f36f9a84aab26d1724010b97798 to remediate the vulnerability. Given the experimental nature of the '-T' parameter, it is advisable to avoid using this argument in production or critical environments until the software is confirmed stable. Organizations should enforce strict access controls to limit local access to systems running Radare2, ensuring only authorized personnel can execute the tool. Monitoring and logging local user activities involving Radare2 can help detect any anomalous usage patterns. Additionally, integrating AddressSanitizer or similar memory debugging tools during development and testing phases can help identify potential memory corruption issues early. Regularly updating Radare2 to the latest stable versions and subscribing to security advisories related to the tool will further reduce exposure to similar vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-06-04T12:22:59.187Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 684158b1182aa0cae2d67439
Added to database: 6/5/2025, 8:43:29 AM
Last enriched: 7/7/2025, 3:39:41 AM
Last updated: 8/3/2025, 8:15:28 PM
Views: 15
Related Threats
CVE-2025-54466: CWE-94 Improper Control of Generation of Code ('Code Injection') in Apache Software Foundation Apache OFBiz
UnknownCVE-2025-9053: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9052: SQL Injection in projectworlds Travel Management System
MediumCVE-2025-9019: Heap-based Buffer Overflow in tcpreplay
LowCVE-2025-9017: Cross Site Scripting in PHPGurukul Zoo Management System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.