CVE-2018-14017

Name of the Vulnerable Software and Affected Versions radare2 version 2.7.0

Description The issue is related to a denial of service (heap-based buffer over-read and application crash) that can be caused by remote attackers via a crafted .class file. This is due to missing input validation in the r bin java line number table attr new function within the r bin java annotation new function in shlr/java/class.c.

Recommendations For radare2 version 2.7.0, consider applying input validation to the r bin java line number table attr new function to prevent the heap-based buffer over-read. As a temporary workaround, restrict the processing of crafted .class files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.