CVE-2017-6387 Radare CVE debrief

Who should care

Teams that use radare2 to analyze untrusted or externally supplied Android DEX files, especially installations pinned to or derived from radare2 1.2.1. Security teams should also care if radare2 is embedded in automated analysis pipelines where a crash could interrupt processing.

Technical summary

The vulnerable path is dex_loadcode in libr/bin/p/bin_dex.c. According to the NVD record, the flaw is an out-of-bounds read (CWE-125) that can be triggered by a crafted DEX file and results in application termination. NVD lists CVSS v3.0 as 5.5/Medium with AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating user interaction is required and the primary impact is availability. The source corpus also contains a radare2 issue and a fixing commit tied to the vulnerability.

Defensive priority

Medium

Recommended defensive actions

• Upgrade radare2 to a version that includes the fix referenced by the official radare2 commit.
• Avoid processing untrusted DEX files with affected builds unless they are isolated in a sandbox or disposable environment.
• If radare2 is used in an automated pipeline, add crash monitoring and job isolation so a malformed sample cannot disrupt broader processing.
• Validate inbound DEX files with separate pre-checks before handing them to radare2.
• Review the linked issue and commit to confirm the remediation is present in your deployed branch or package build.

Evidence notes

Evidence comes from the official NVD CVE record, which lists the affected CPE as radare2 1.2.1, the weakness as CWE-125, and the CVSS v3.0 vector as AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The source corpus also includes a radare2 issue tracker entry and a fixing commit on GitHub, both referenced by MITRE/NVD. The CVE publication date used here is 2017-03-02 from the supplied timeline fields.

Official resources