radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo response followed by a malformed qsThreadInfo response. Attackers can exploit this vulnerability through GDB remote debugging to cause a denial of service or potentially achieve code execution by manipulating thread list processing.
References
| Link | Resource |
|---|---|
| https://github.com/radareorg/radare2/commit/c213ad6894a1eb9086ac8bf5fae35757e9e1683c | Patch |
| https://github.com/radareorg/radare2/issues/25835 | Exploit Issue Tracking |
| https://github.com/radareorg/radare2/issues/25836 | Exploit Issue Tracking |
| https://www.vulncheck.com/advisories/radare2-use-after-free-via-gdbr-threads-list | Third Party Advisory |
| https://github.com/radareorg/radare2/issues/25835 | Exploit Issue Tracking |
Configurations
History
18 May 2026, 18:38
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/radareorg/radare2/commit/c213ad6894a1eb9086ac8bf5fae35757e9e1683c - Patch | |
| References | () https://github.com/radareorg/radare2/issues/25835 - Exploit, Issue Tracking | |
| References | () https://github.com/radareorg/radare2/issues/25836 - Exploit, Issue Tracking | |
| References | () https://www.vulncheck.com/advisories/radare2-use-after-free-via-gdbr-threads-list - Third Party Advisory | |
| First Time |
Radare radare2
Radare |
|
| CPE | cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:* |
15 May 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
|
| References | () https://github.com/radareorg/radare2/issues/25835 - |
15 May 2026, 17:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-15 17:16
Updated : 2026-05-18 18:38
NVD link : CVE-2026-8695
Mitre link : CVE-2026-8695
CVE.ORG link : CVE-2026-8695
JSON object : View
Products Affected
radare
- radare2
CWE
CWE-416
Use After Free