PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45613 rizinorg CVE debrief

A heap-buffer-overflow vulnerability exists in Rizin, a UNIX-like reverse engineering framework and command-line toolset. The flaw is located in the OMF (Object Module Format) binary parser at librz/bin/format/omf/omf.c. The vulnerability has been assigned a CVSS 3.1 score of 3.3 (Low severity), indicating limited impact due to local attack vector requirements and user interaction needed for exploitation. The issue was disclosed on May 29, 2026, with a fix committed the same day.

Vendor
rizinorg
Product
rizin
CVSS
LOW 3.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations using Rizin for reverse engineering or binary analysis, particularly those processing OMF format files from untrusted sources. Security teams in malware analysis and forensics environments where automated processing of unknown binaries occurs.

Technical summary

The vulnerability is a heap-buffer-overflow (CWE-125) in Rizin's OMF binary format parser. The OMF format is an older object file format used in x86 development environments. The flaw occurs during parsing of OMF files in librz/bin/format/omf/omf.c. Exploitation requires a local attacker to provide a malicious OMF file that a user then opens with Rizin, limiting practical attack scenarios. The fix was implemented in commit e6d0937c8a083e23ed76ccfb9f631cdc50c7af47.

Defensive priority

low

Recommended defensive actions

  • Upgrade Rizin to a version containing commit e6d0937c8a083e23ed76ccfb9f631cdc50c7af47 or later
  • Review and restrict processing of untrusted OMF binary files in production environments
  • Monitor Rizin security advisories for additional hardening recommendations

Evidence notes

CVE published and modified 2026-05-29. Fix commit e6d0937c8a083e23ed76ccfb9f631cdc50c7af47 dated same day per source metadata. CVSS vector AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N confirms local attack surface with user interaction required.

Official resources

2026-05-29