Use-After-Free Vulnerability in radare2 GDB Client Core
CVE-2026-8696

8.7HIGH

Key Information:

Vendor: Radare2
Status: Radare2
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-8696?

The radare2 GDB client core version 6.1.5 harbors a use-after-free vulnerability within the gdbr_pids_list() function. This flaw allows remote attackers to send malformed thread information, leading to a denial of service or potential arbitrary code execution. The vulnerability occurs when the qsThreadInfo function fails after successful allocation of RDebugPid structures, causing double-free memory corruption during the cleanup process, which could be exploited by attackers.

Affected Version(s)

radare2 6.1.5

radare2 c213ad6894a1eb9086ac8bf5fae35757e9e1683c

References

https://github.com/radareorg/radare2/issues/25836

issue-tracking

https://github.com/radareorg/radare2/commit/c213ad6894a1e...

patch

https://www.vulncheck.com/advisories/radare2-use-after-fr...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
May 15, 2026

Credit

Saad Elharaj

CVE-2026-8696 Data

JSON

Radare2

What is CVE-2026-8696?

Affected Version(s)

References

CVSS V4

Timeline

Credit