CVE-2026-8696

critical

Published 2026-05-15 · Modified 2026-05-19

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

9.8

Description

radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial of service or potentially execute arbitrary code by sending malformed thread information responses. Attackers can trigger the vulnerability by causing qsThreadInfo to fail after qfThreadInfo successfully allocates RDebugPid structures, resulting in double-free memory corruption when the error path attempts to clean up the list.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-8696

vendor Authored 2026-05-27

Vendor advisory: disclosure@vulncheck.com — https://github.com/radareorg/radare2/commit/c213ad6894a1eb9086ac8bf5fae35757e9e1683c

OS impact

OS	Version	Status	Fixed in
debian	sid	affected

Application impact

Vendor	Product	Versions	Fixed
radare	radare2	`{"endIncluding":"6.1.4"}`

References

CWEs

CWE-416

Verify integrity in audit chain (admin only). AS-IS.