CVE-2025-5648 is a memory corruption vulnerability identified in Radare2 version 5.9.9, specifically within the function r_cons_pal_init located in the /libr/cons/pal.c file of the radiff2 component. The vulnerability arises from improper handling of the '-T' argument, which is an experimental parameter known to be unstable and potentially crash-inducing. When this argument is manipulated, it can lead to memory corruption. Exploitation requires local access to the system, and the attack complexity is considered high due to the difficulty in reliably triggering the vulnerability. Furthermore, the exploitability is low, and no user interaction or authentication bypass is involved. The vulnerability has been publicly disclosed, but its practical existence and impact remain somewhat uncertain, as indicated by the note that the race condition is not a significant issue unless AddressSanitizer (ASAN) is used. A patch has been committed (identified by commit hash 5705d99cc1f23f36f9a84aab26d1724010b97798) to address this issue, and a warning has been added to the documentation to highlight the experimental and unstable nature of the '-T' parameter. The CVSS 4.0 base score is 2.0, reflecting a low severity rating, with attack vector limited to local (AV:L), high attack complexity (AC:H), and requiring low privileges (PR:L). No known exploits are currently active in the wild.

For European organizations, the impact of this vulnerability is limited due to several factors. Radare2 is primarily a reverse engineering and binary analysis tool used by security researchers, developers, and malware analysts rather than a widespread production system component. The requirement for local access and the high complexity of exploitation further reduce the risk of this vulnerability being leveraged in targeted attacks. However, organizations with security teams or researchers using Radare2 internally could face potential risks if untrusted users gain local access to systems running the vulnerable version. Exploitation could lead to memory corruption, potentially causing application crashes or, in rare cases, arbitrary code execution, which might compromise the confidentiality or integrity of analysis environments. Given the low severity and the niche usage of Radare2, the overall threat to European enterprises is minimal but should not be ignored in environments where Radare2 is actively used.

To mitigate this vulnerability, European organizations should ensure that all instances of Radare2 are updated to versions beyond 5.9.9 where the patch addressing CVE-2025-5648 has been applied. Since the '-T' parameter is experimental and known to be unstable, users should avoid using this argument unless absolutely necessary and only in controlled environments. Access controls should be enforced to restrict local access to systems running Radare2, limiting the potential for exploitation by unauthorized users. Additionally, organizations should monitor and audit usage of Radare2 to detect any unusual activity involving the '-T' parameter. Security teams should educate users about the risks associated with experimental features in security tools and encourage the use of stable releases. Employing runtime protections such as AddressSanitizer during development and testing can help detect memory corruption issues early, although it is noted that the race condition is primarily a concern under ASAN. Finally, maintaining a robust patch management process to promptly apply updates is essential.