PT-2018-10540 · Radare2 · Radare2
Fumfel
·
Published
2018-05-22
·
Updated
2020-08-24
·
CVE-2018-11383
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
radare2 version 2.5.0
Description
The issue allows remote attackers to cause a denial of service, resulting in an invalid free and application crash, via a crafted ELF file. This is due to an uninitialized variable in the CPSE handler in libr/anal/p/anal avr.c.
Recommendations
For radare2 version 2.5.0, consider avoiding the use of the
r strbuf fini() function until a patch is available. As a temporary workaround, restrict the processing of crafted ELF files to minimize the risk of exploitation.Fix
Use of Uninitialized Resource
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Radare2