PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8696 radare2 CVE debrief

A use-after-free vulnerability exists in radare2 6.1.5 and earlier versions within the GDB client core, specifically in the `gdbr_pids_list()` function. The flaw occurs when malformed thread information responses from a remote GDB server trigger a memory corruption condition. During the thread discovery protocol exchange, `qfThreadInfo` successfully allocates `RDebugPid` structures, but if the subsequent `qsThreadInfo` command fails, the error handling path attempts to clean up the partially populated list. This results in a double-free condition that can lead to denial of service or potentially arbitrary code execution. The vulnerability is remotely exploitable without authentication, as the GDB client processes server responses without adequate validation of the thread information sequence state. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high availability impact. A patch has been committed to address the improper cleanup logic in the error path.

Vendor
radare2
Product
Unknown
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-15
Original CVE updated
2026-05-19
Advisory published
2026-05-15
Advisory updated
2026-05-19

Who should care

Security teams operating reverse engineering workstations, malware analysts using radare2 for remote debugging, DevSecOps engineers managing binary analysis pipelines, and organizations with developers using radare2's GDB remote debugging capabilities against potentially untrusted targets.

Technical summary

The vulnerability stems from improper state management in the GDB remote protocol client implementation. When parsing thread information responses (`qfThreadInfo`/`qsThreadInfo` packets), the `gdbr_pids_list()` function in `libr/debug/p/debug_gdb.c` allocates `RDebugPid` structures during successful `qfThreadInfo` processing. If the follow-up `qsThreadInfo` command fails or returns malformed data, the error cleanup path invokes `r_list_free()` on the partially constructed list. However, the list nodes containing `RDebugPid` structures may have already been freed or may be freed again during subsequent operations, resulting in a use-after-free or double-free condition. The CVSS 4.0 score of 8.7 (HIGH) reflects the network accessibility of the attack vector and potential for availability impact. The vulnerability is particularly concerning in scenarios where radare2 connects to untrusted or compromised GDB servers for remote debugging operations.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade radare2 to version 6.1.5 or later containing commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c
  • Restrict network access to GDB remote debugging interfaces to trusted hosts only
  • Monitor for anomalous GDB server responses that may indicate exploitation attempts
  • Apply principle of least privilege when running radare2 with remote debugging capabilities enabled
  • Review and validate any custom GDB server implementations for proper thread information response formatting

Evidence notes

Vulnerability confirmed through NVD with CVSS 4.0 scoring. Patch commit c213ad6894a1eb9086ac8bf5fae35757e9e1683c addresses the use-after-free in `gdbr_pids_list()`. Issue #25836 contains exploit details and reproduction steps. VulnCheck advisory provides third-party analysis. CPE criteria confirms affected versions through 6.1.4. CWE-416 (Use After Free) classified as weakness type.

Official resources

2026-05-15