Use-After-Free Vulnerability in radare2 Product by radareorg
CVE-2026-8695

8.7HIGH

Key Information:

Vendor: Radare2
Status: Radare2
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-8695?

The radare2 version 6.1.5 suffers from a use-after-free vulnerability in the gdbr_threads_list() function. This issue arises when the product receives a valid qfThreadInfo response followed by an improperly formatted qsThreadInfo response. By exploiting this flaw, remote attackers can cause memory corruption, potentially resulting in denial of service or unauthorized code execution via manipulation of thread list processing during remote debugging sessions.

Affected Version(s)

radare2 6.1.5

radare2 c213ad6894a1eb9086ac8bf5fae35757e9e1683c

References

https://github.com/radareorg/radare2/issues/25835

issue-tracking

https://github.com/radareorg/radare2/commit/c213ad6894a1e...

patch

https://www.vulncheck.com/advisories/radare2-use-after-fr...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 15, 2026

Credit

Saad Elharaj

CVE-2026-8695 Data

JSON

Radare2

What is CVE-2026-8695?

Affected Version(s)

References

CVSS V4

Timeline

Credit