CVE-2026-8695
radare2 6.1.5 Use-After-Free via gdbr_threads_list()
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo response followed by a malformed qsThreadInfo response. Attackers can exploit this vulnerability through GDB remote debugging to cause a denial of service or potentially achieve code execution by manipulating thread list processing.
| CWE | CWE-416 |
| Vendor | radare2 |
| Product | radare2 |
| Published | May 15, 2026 |
| Last Updated | May 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for radare2 radare2
Be the first to know when new high vulnerabilities affecting radare2 radare2 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
radare2 / radare2
6.1.5
References
github.com: https://github.com/radareorg/radare2/issues/25835 github.com: https://github.com/radareorg/radare2/commit/c213ad6894a1eb9086ac8bf5fae35757e9e1683c vulncheck.com: https://www.vulncheck.com/advisories/radare2-use-after-free-via-gdbr-threads-list github.com: https://github.com/radareorg/radare2/issues/25836
Credits
Saad Elharaj