CVE-2025-5648 – Radare2 Double-Free Vulnerability in Radiff2 Component

Vulnerability

A double-free vulnerability has been identified in Radare2 version 5.9.9, specifically within the radiff2 component. The issue arises in the function r_cons_pal_init, located in the file /libr/cons/pal.c. The vulnerability is triggered by manipulating the experimental -T argument, leading to memory corruption. This vulnerability must be exploited locally, and while the exploitation is considered difficult, it has been publicly disclosed and may be used.

Impact

Exploitation of this vulnerability causes a double-free error, which can lead to memory corruption.

Reproduction

The vulnerability can be reproduced by compiling Radare2 with AddressSanitizer enabled, which helps detect memory corruption issues. After compiling and installing Radare2, the radiff2 tool can be run with the -T option set to 'POC1', which triggers the double-free vulnerability. This can be done by using a specific command that includes the -T option along with other parameters that radiff2 accepts.

Remediation

Users are advised to update to Radare2 version 6.0.2, where this vulnerability has been fixed.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Affected Products

Radare2

Easy fix2 remedies

cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*

Easy fix2 remedies

5.9.9

CVSS Scores

volerion

2.0

CVSS 4.0

2.0

Low

volerion

5.1

CVSS 3.1

5.1

Medium

Vendor

2.0

CVSS 4.0

2.0

Low

Vendor

2.5

CVSS 3.1

2.5

Low

Click a row to open the calculator.

References

https://drive.google.com/file/d/1StQvpouGzMCOGmF3b5q_NxAJiZwivnjp/view?usp=sharing

ExploitPartial Content

https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798

Source CodeVendor

https://github.com/radareorg/radare2/issues/24238

ExploitIssue TrackingTechnical DescriptionVendor

https://github.com/radareorg/radare2/issues/24238#issuecomment-2918850876