CVE-2025-5642

Name of the Vulnerable Software and Affected Versions Radare2 version 5.9.9

Description A problematic vulnerability has been found in Radare2, affecting the function r cons pal init in the library /libr/cons/pal.c of the component radiff2. The manipulation leads to memory corruption. The attack needs to be approached locally and has a rather high complexity. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown that the issue is not a real problem unless asan is used. A new warning has been added.

Recommendations To fix this issue, it is recommended to apply a patch, identified as 5705d99cc1f23f36f9a84aab26d1724010b97798. As a temporary workaround, consider disabling the r cons pal init function until a patch is available. Additionally, avoid using the experimental parameter -T unless necessary, and be cautious when using asan to minimize the risk of exploitation.