pancake

68 exploits Active since Feb 2017
CVE-2026-6942 WRITEUP CRITICAL WRITEUP
radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metacharacters in user-controlled input passed to r2_cmd_str(). Attackers can inject shell metacharacters through the jsonrpc interface parameters to achieve remote code execution on the host running radare2-mcp without requiring authentication.
CVSS 9.8
CVE-2026-40499 WRITEUP HIGH WRITEUP
radare2 < 6.1.4 Command Injection via PDB Parser print_gvars()
radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.
CVE-2026-4174 WRITEUP LOW WRITEUP
Radare2 5.9.9 - DoS
A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS".
CVSS 3.3
CVE-2017-10929 WRITEUP HIGH WRITEUP
Radare2 - Memory Corruption
The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, possibly related to a read overflow in the grub_disk_read_small_real function in kern/disk.c in GNU GRUB 2.02.
CVSS 7.8
CVE-2017-15368 WRITEUP HIGH WRITEUP
Radare2 - Out-of-Bounds Read
The wasm_dis function in libr/asm/arch/wasm/wasm.c in radare2 2.0.0 allows remote attackers to cause a denial of service (stack-based buffer over-read and application crash) or possibly have unspecified other impact via a crafted WASM file that triggers an incorrect r_hex_bin2str call.
CVSS 7.8
CVE-2017-15385 WRITEUP HIGH WRITEUP
Radare2 - Memory Corruption
The store_versioninfo_gnu_verdef function in libr/bin/format/elf/elf.c in radare2 2.0.0 allows remote attackers to cause a denial of service (r_read_le16 invalid write and application crash) or possibly have unspecified other impact via a crafted ELF file.
CVSS 7.8
CVE-2017-15931 WRITEUP HIGH WRITEUP
Radare2 - Out-of-Bounds Read
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verneed() in libr/bin/format/elf/elf.c via crafted ELF files on 32bit systems.
CVSS 7.8
CVE-2017-15932 WRITEUP HIGH WRITEUP
Radare2 - Out-of-Bounds Read
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo_gnu_verdef() in libr/bin/format/elf/elf.c via crafted ELF files when parsing the ELF version on 32bit systems.
CVSS 7.8
CVE-2017-16358 WRITEUP HIGH WRITEUP
radare 2.0.1 - Memory Corruption
In radare 2.0.1, an out-of-bounds read vulnerability exists in string_scan_range() in libr/bin/bin.c when doing a string search.
CVSS 7.8
CVE-2017-16805 WRITEUP MEDIUM WRITEUP
radare2 2.0.1 - DoS
In radare2 2.0.1, libr/bin/dwarf.c allows remote attackers to cause a denial of service (invalid read and application crash) via a crafted ELF file, related to r_bin_dwarf_parse_comp_unit in dwarf.c and sdb_set_internal in shlr/sdb/src/sdb.c.
CVSS 5.5
CVE-2017-6197 WRITEUP MEDIUM WRITEUP
Radare2 - NULL Pointer Dereference
The r_read_* functions in libr/include/r_endian.h in radare2 1.2.1 allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted binary file, as demonstrated by the r_read_le32 function.
CVSS 5.5
CVE-2017-6319 WRITEUP HIGH WRITEUP
Radare2 - Memory Corruption
The dex_parse_debug_item function in libr/bin/p/bin_dex.c in radare2 1.2.1 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted DEX file.
CVSS 7.8
CVE-2017-7854 WRITEUP MEDIUM WRITEUP
Radare2 - Out-of-Bounds Read
The consume_init_expr function in wasm.c in radare2 1.3.0 allows remote attackers to cause a denial of service (heap-based buffer over-read and application crash) via a crafted Web Assembly file.
CVSS 5.5
CVE-2017-7946 WRITEUP MEDIUM WRITEUP
Radare2 - Use After Free
The get_relocs_64 function in libr/bin/format/mach0/mach0.c in radare2 1.3.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted Mach0 file.
CVSS 5.5
CVE-2017-9520 WRITEUP MEDIUM WRITEUP
radare2 1.5.0 - DoS
The r_config_set function in libr/config/config.c in radare2 1.5.0 allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted DEX file.
CVSS 5.5
CVE-2017-9761 WRITEUP MEDIUM WRITEUP
radare2 <1.5.0 - DoS
The find_eoq function in libr/core/cmd.c in radare2 1.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file.
CVSS 5.5
CVE-2017-9763 WRITEUP HIGH WRITEUP
GNU GRUB <2013-11-12 - DoS
The grub_ext2_read_block function in fs/ext2.c in GNU GRUB before 2013-11-12, as used in shlr/grub/fs/ext2.c in radare2 1.5.0, allows remote attackers to cause a denial of service (excessive stack use and application crash) via a crafted binary file, related to use of a variable-size stack array.
CVSS 7.5
CVE-2017-9949 WRITEUP HIGH WRITEUP
Radare2 - Out-of-Bounds Write
The grub_memmove function in shlr/grub/kern/misc.c in radare2 1.5.0 allows remote attackers to cause a denial of service (stack-based buffer underflow and application crash) or possibly have unspecified other impact via a crafted binary file, possibly related to a buffer underflow in fs/ext2.c in GNU GRUB 2.02.
CVSS 7.8
CVE-2018-11375 WRITEUP MEDIUM WRITEUP
Radare2 - Out-of-Bounds Read
The _inst__lds() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file.
CVSS 5.5
CVE-2018-11377 WRITEUP MEDIUM WRITEUP
Radare2 - Out-of-Bounds Read
The avr_op_analyze() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file.
CVSS 5.5
CVE-2018-11378 WRITEUP HIGH WRITEUP
Radare2 - Memory Corruption
The wasm_dis() function in libr/asm/arch/wasm/wasm.c in or possibly have unspecified other impact via a crafted WASM file.
CVSS 7.8
CVE-2018-11379 WRITEUP MEDIUM WRITEUP
Radare2 - Out-of-Bounds Read
The get_debug_info() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted PE file.
CVSS 5.5
CVE-2018-11381 WRITEUP MEDIUM WRITEUP
Radare2 - Out-of-Bounds Read
The string_scan_range() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file.
CVSS 5.5
CVE-2018-11382 WRITEUP MEDIUM WRITEUP
Radare2 - Out-of-Bounds Read
The _inst__sts() function in radare2 2.5.0 allows remote attackers to cause a denial of service (heap-based out-of-bounds read and application crash) via a crafted binary file.
CVSS 5.5
CVE-2018-11383 WRITEUP MEDIUM WRITEUP
Radare2 - Use of Uninitialized Resource
The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers to cause a denial of service (invalid free and application crash) via a crafted ELF file because of an uninitialized variable in the CPSE handler in libr/anal/p/anal_avr.c.
CVSS 5.5