« List of all CVEs

CVE-2026-14786

radareorg radare2 str.c r_str_word_get0set integer overflow

Published: 7/6/2026 Last updated: 7/7/2026 Reserved: 7/5/2026

A security flaw has been discovered in radareorg radare2 up to 6.1.6. This impacts the function r_str_word_get0set of the file libr/util/str.c. The manipulation results in integer overflow. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 11ac224c0eb8d57830fccc99e1c1cd8e5d958813. It is best practice to apply a patch to resolve this issue.

CNA assigner: VulDB (1af790b2-7ee1-4545-860a-a788eba489b5) Requested by: n/a

Metrics

Version Score Severity Vector String
4.0 1.9 Low CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
3.1 3 Low CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
3.0 3 Low CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
2.0 1.3 Low CVSS:2.0/AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C

Opam packages affected (2)

conf-radare2 radare2

Products affected (2)

Product Vendor Version
radare2 radareorg < 10.0
radare2 radareorg unspecified

References (14)

Credits (2)