CVE-2026-8695 radare2 CVE debrief

Who should care

Security teams operating malware analysis sandboxes, reverse engineering labs, and incident response environments using radare2 for binary analysis. Organizations with developers or security researchers using radare2's remote debugging capabilities against untrusted targets. DevSecOps pipelines integrating radare2 for automated binary inspection.

Technical summary

The vulnerability resides in radare2's GDB remote protocol implementation, specifically in `gdbr_threads_list()` which parses thread information responses from remote targets. The function fails to properly manage memory lifecycle when handling sequential `qfThreadInfo` and `qsThreadInfo` packets. An attacker controlling a malicious GDB server can send a valid initial thread info response followed by a malformed continuation response, causing a use-after-free condition. This affects radare2 versions through 6.1.4. The CVSS 4.0 score of 8.7 reflects network accessibility and high availability impact. The patch in commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c corrects the thread list parsing logic to prevent the memory safety issue.

Defensive priority

high

Recommended defensive actions

• Upgrade radare2 to version 6.1.5 or later which contains the security patch
• Restrict network access to GDB remote debugging ports (typically 1234/tcp) to trusted hosts only
• Monitor for unexpected radare2 crashes during debugging sessions as potential exploitation indicators
• Review and validate any third-party GDB servers or stubs used with radare2 for trustworthiness
• Consider disabling remote GDB debugging capabilities if not required for operational workflows

Evidence notes

The vulnerability is classified as CWE-416 (Use After Free). Affected versions are radare2 up to and including 6.1.4. The CVSS 4.0 vector indicates network attack vector with low attack complexity and high availability impact. Multiple GitHub issues document exploitability through crafted GDB protocol responses.

Official resources