Nixpkgs security tracker

Permalink CVE-2026-4174

3.3 LOW

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

updated 4 weeks, 1 day ago by @fricklerhandwerk Activity log

Created automatic suggestion 4 weeks, 2 days ago
@fricklerhandwerk deleted
3 maintainers
- @Mic92
- @makefu
- @azahi
4 weeks, 1 day ago maintainer.delete
@fricklerhandwerk added maintainer @fricklerhandwerk 4 weeks, 1 day ago maintainer.add

Radare2 Mach-O File mach0.c walk_exports_trie resource consumption

A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS".

References

VDB-351081 | Radare2 Mach-O File mach0.c walk_exports_trie resource consumption vdb-entrytechnical-description
VDB-351081 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #769799 | radareorg Radare2 5.9.9 Denial of Service third-party-advisory
https://github.com/radareorg/radare2/issues/25482 issue-tracking
https://github.com/user-attachments/files/25620145/gen_macho_poc.py exploit
https://github.com/ToddAWalter/radare2/commit/4371ae84c99c46b48cb21badbbef06b30… patch
https://github.com/radareorg/radare2/milestone/94 patch

Affected products

Radare2

==5.9.9
==6.1.2

Matching in nixpkgs

pkgs.radare2

UNIX-like reverse engineering framework and command-line toolset

nixos-unstable 6.0.7
- nixpkgs-unstable 6.0.7
- nixos-unstable-small 6.0.7
nixos-25.11 6.0.4
- nixos-25.11-small 6.0.4
- nixpkgs-25.11-darwin 6.0.4

Package maintainers

@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@arkivm Vikram Narayanan <vikram186@gmail.com>

Ignored maintainers (3)

@Mic92 Jörg Thalheim <joerg@thalheim.io>
@azahi Azat Bahawi <azat@bahawi.net>
@makefu Felix Richter <makefu@syntax-fehler.de>

Additional maintainers

@fricklerhandwerk Valentin Gagarin <valentin@fricklerhandwerk.de>

Permalink CVE-2024-11858

8.6 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 1 year, 3 months ago

Radare2: command injection via pebble application files in radare2

A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during command parsing, leading to unintended behavior during file processing

References

RHBZ#2329102 x_refsource_REDHATissue-tracking
RHBZ#2329102 x_refsource_REDHATissue-tracking

Affected products

radare2

<5.9.9

Matching in nixpkgs

pkgs.radare2

UNIX-like reverse engineering framework and command-line toolset

nixos-unstable 5.9.6
- nixpkgs-unstable 5.9.6
- nixos-unstable-small 5.9.6

Package maintainers

@azahi Azat Bahawi <azat@bahawi.net>
@arkivm Vikram Narayanan <vikram186@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@makefu Felix Richter <makefu@syntax-fehler.de>
@Mic92 Jörg Thalheim <joerg@thalheim.io>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.radare2

Package maintainers

Additional maintainers

References

Affected products

Matching in nixpkgs

pkgs.radare2

Package maintainers