Integer Overflow Vulnerability in radareorg radare2 Versions Up to 6.1.6
CVE-2026-14786

4.8MEDIUM

Key Information:

Vendor

Radareorg

Status
Vendor
CVE Published:
6 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-14786?

A security flaw has been identified in the radareorg radare2 software, particularly within the function r_str_word_get0set in the libr/util/str.c file. This vulnerability leads to an integer overflow that can potentially allow an attacker to exploit the system, provided they have local access. The exploit has been publicly released, which increases the risk of attacks against affected installations. It is highly recommended for users to apply the latest patch (commit 11ac224c0eb8d57830fccc99e1c1cd8e5d958813) to mitigate this issue and safeguard their systems.

Affected Version(s)

radare2 6.1.0

radare2 6.1.1

radare2 6.1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kery Qi (VulDB User)
.