CVE-2026-8695
7.5 HIGHradare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory ...
Published: 2026-05-15 · Last updated: 2026-05-18
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- CWE
- CWE-416
Affected products
| Vendor | Product |
|---|---|
| radare | radare2 |
Description
radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers to trigger memory corruption by sending a valid qfThreadInfo response followed by a malformed qsThreadInfo response. Attackers can exploit this vulnerability through GDB remote debugging to cause a denial of service or potentially achieve code execution by manipulating thread list processing.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8695
- [Patch]https://github.com/radareorg/radare2/commit/c213ad6894a1eb9086ac8bf5fae35757e9e1683c
- [Exploit reference]https://github.com/radareorg/radare2/issues/25835
- [Exploit reference]https://github.com/radareorg/radare2/issues/25836
- [Other]https://www.vulncheck.com/advisories/radare2-use-after-free-via-gdbr-threads-list
- [Exploit reference]https://github.com/radareorg/radare2/issues/25835
Related CVEs
Same vendor
- CVE-2026-8696 — radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote atta... (7.5 HIGH)
- CVE-2026-6942 — radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary co... (9.8 CRITICAL)
- CVE-2026-40527 — radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can ... (7.8 HIGH)
Same CWE
- CVE-2026-41158 — Software installed and run as a non-privileged user may conduct GPU system calls to write to arbitrary freed physical pages
- CVE-2026-12035 — Use after free in Views in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to potentially exploit heap corrupt... (8.8 HIGH)
- CVE-2026-12029 — Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer pr... (8.3 HIGH)
- CVE-2026-12028 — Use after free in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer proc... (8.3 HIGH)
- CVE-2026-12023 — Use after free in GPU in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process ... (8.3 HIGH)