Source: radare2 Version: 6.0.7+ds-1 Severity: important Tags: security upstream Forwarded: https://github.com/radareorg/radare2/issues/25836 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for radare2. CVE-2026-8696[0]: | radare2 6.1.5 contains a use-after-free vulnerability in the | gdbr_pids_list() function within the GDB client core that allows | remote attackers to cause a denial of service or potentially execute | arbitrary code by sending malformed thread information responses. | Attackers can trigger the vulnerability by causing qsThreadInfo to | fail after qfThreadInfo successfully allocates RDebugPid structures, | resulting in double-free memory corruption when the error path | attempts to clean up the list. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-8696 https://www.cve.org/CVERecord?id=CVE-2026-8696 [1] https://github.com/radareorg/radare2/issues/25836 [2] https://github.com/radareorg/radare2/commit/c213ad6894a1eb9086ac8bf5fae35757e9e1683c Regards, Salvatore
