CVE-2025-5646 – Radare2 Double-Free Vulnerability in Radiff2 Component

Vulnerability

A memory corruption vulnerability has been identified in Radare2 version 5.9.9, specifically within the radiff2 component. The issue arises in the function r_cons_rainbow_free, located in the library /libr/cons/pal.c. The vulnerability is triggered by manipulating the experimental -T argument, leading to a double-free error. This vulnerability can be exploited locally, and while an exploit is publicly available, the actual existence of the vulnerability is currently disputed.

Impact

Exploitation of this vulnerability causes a double-free error, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by compiling Radare2 with AddressSanitizer enabled, and then using the radiff2 tool with the -T option. This triggers the double-free condition in a multi-threaded context, where one thread frees memory that another thread is still using.

Remediation

Users are advised to update to the latest version of Radare2, where this vulnerability has been patched.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Affected Products

Radare2

Easy fix2 remedies

cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*

Easy fix2 remedies

5.9.9

CVSS Scores

volerion

5.5

CVSS 4.0

5.5

Medium

volerion

6.2

CVSS 3.1

6.2

Medium

Vendor

2.0

CVSS 4.0

2.0

Low

Vendor

2.5

CVSS 3.1

2.5

Low

Click a row to open the calculator.

References

https://drive.google.com/file/d/1PYNtV7Kx2OEgM9Cemb5FBlMJH_J1wux0/view?usp=sharing

ExploitPartial Content

https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798

Source CodeVendor

https://github.com/radareorg/radare2/issues/24235

ExploitIssue TrackingTechnical DescriptionVendor

https://github.com/radareorg/radare2/issues/24235#issuecomment-2918847213