CVE-2026-4174

A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS".

CVSS v3 3.3 LOW
CVSS v2.0 1.7 LOW

3.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:S/C:N/I:N/A:P

Exploitability : 3.1 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://github.com/ToddAWalter/radare2/commit/4371ae84c99c46b48cb21badbbef06b30757aba0
https://github.com/radareorg/radare2/issues/25482
https://github.com/radareorg/radare2/milestone/94
https://github.com/user-attachments/files/25620145/gen_macho_poc.py
https://vuldb.com/?ctiid.351081
https://vuldb.com/?id.351081
https://vuldb.com/?submit.769799

Configurations

No configuration.

History

22 Apr 2026, 21:32

Type	Values Removed	Values Added
Summary		(es) Se ha encontrado una vulnerabilidad en Radare2 5.9.9. Este problema afecta a la función walk_exports_trie del archivo libr/bin/format/mach0/mach0.c del componente Mach-O File Parser. Dicha manipulación conduce al consumo de recursos. El ataque solo puede realizarse desde un entorno local. El exploit ha sido divulgado al público y puede ser utilizado. La existencia de esta vulnerabilidad aún está en disputa actualmente. La actualización a la versión 6.1.2 es capaz de abordar este problema. El nombre del parche es 4371ae84c99c46b48cb21badbbef06b30757aba0. Debería actualizar el componente afectado. El mantenedor del código afirma que, 'no considerará este error un DoS'.

16 Mar 2026, 14:19

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-16 14:19

Updated : 2026-04-29 01:00

NVD link : CVE-2026-4174

Mitre link : CVE-2026-4174

CVE.ORG link : CVE-2026-4174

JSON object : View

Products Affected

No product.

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-404

Improper Resource Shutdown or Release

3.3 /10

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

1.7 /10

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2026-4174

3.3^/10

1.7^/10

Attach tags to `CVE-2026-4174`