CVE-2017-6415 Radare CVE debrief

Who should care

Teams using radare2 1.2.1 or older builds that parse untrusted DEX files, especially security researchers, reverse engineers, malware analysts, and automated file-analysis pipelines.

Technical summary

The vulnerable function is dex_parse_debug_item in libr/bin/p/bin_dex.c. According to the CVE description and NVD metadata, a crafted DEX file can reach a NULL pointer dereference and crash radare2. NVD maps the issue to CWE-476 and lists the affected CPE as radare2 1.2.1. The published CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The source references include a SecurityFocus BID, a GitHub issue report, and a GitHub commit that serves as the vendor fix reference.

Defensive priority

Medium

Recommended defensive actions

• Confirm whether radare2 1.2.1 is in use anywhere in your environment, including embedded tooling and analysis pipelines.
• Apply the upstream fix referenced by commit 68338b71a563b24e62617bb629059adc0c94b230, or backport it if you maintain a downstream build.
• Avoid processing untrusted DEX files in vulnerable versions until patched.
• Run radare2 analysis workloads in isolated, least-privilege environments to limit crash impact.
• Monitor for crashes or unexpected termination during DEX parsing and treat them as a sign to upgrade.

Evidence notes

This debrief is based on the supplied CVE/NVD record and listed references. The CVE description states that dex_parse_debug_item in libr/bin/p/bin_dex.c can be crashed by a crafted DEX file. NVD metadata identifies radare2 1.2.1 as the vulnerable version, maps the weakness to CWE-476, and provides CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. The referenced GitHub issue and commit are the vendor-linked remediation evidence. Note: the prose description says 'remote attackers,' while the CVSS vector records UI:R and AV:L; this summary preserves both source signals without adding unsupported interpretation.

Official resources