Login Sign Up

CVE-2022-1240

7.8 HIGH
Denial of Service

📋 TL;DR

A heap buffer overflow vulnerability in radare2's Mach-O binary format parser allows attackers to execute arbitrary code or cause denial of service. This affects users of radare2 reverse engineering framework who analyze untrusted Mach-O files. The vulnerability is triggered when parsing specially crafted Mach-O binaries.

💻 Affected Systems

Products:
  • radare2
Versions: All versions prior to 5.8.6
Operating Systems: All platforms running radare2
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability requires processing Mach-O format files. Address sanitizer must be disabled during compilation for exploitability.

📦 What is this software?

Radare2 by Radare

View all CVEs affecting Radare2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if radare2 processes attacker-controlled Mach-O files.

🟠

Likely Case

Application crash (denial of service) when processing malformed Mach-O files during reverse engineering.

🟢

If Mitigated

Limited impact if radare2 only processes trusted binaries in isolated environments.

🌐 Internet-Facing: LOW - radare2 is typically not exposed to internet-facing services.
🏢 Internal Only: MEDIUM - internal security researchers analyzing untrusted binaries could be affected.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting malicious Mach-O files and depends on address sanitizer being disabled. The r_str_ncpy function is identified as the vulnerable code path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.8.6

Vendor Advisory: https://github.com/radareorg/radare2/commit/ca8d8b39f3e34a4fd943270330b80f1148129de4

Restart Required: Yes

Instructions:

1. Update radare2 to version 5.8.6 or later. 2. Recompile if using source distribution. 3. Restart any running radare2 processes.

🔧 Temporary Workarounds

Avoid Mach-O file processing

all

Do not use radare2 to analyze untrusted Mach-O format binaries

Compile with address sanitizer

linux

Enable address sanitizer during compilation to detect and prevent exploitation

CFLAGS="-fsanitize=address" ./configure
make
make install

🧯 If You Can't Patch

  • Restrict radare2 usage to trusted binaries only
  • Run radare2 in isolated containers or sandboxes when analyzing untrusted files

🔍 How to Verify

Check if Vulnerable:

Check radare2 version with 'r2 -v' and verify if below 5.8.6

Check Version:

r2 -v | grep -i version

Verify Fix Applied:

Confirm version is 5.8.6 or higher with 'r2 -v'

📡 Detection & Monitoring

Log Indicators:

  • Radare2 crash logs when processing Mach-O files
  • Segmentation fault errors in system logs

Network Indicators:

  • Unusual network connections from radare2 process if exploited

SIEM Query:

process_name:"r2" AND (event_type:"crash" OR error:"segmentation fault")

📊 Metadata

CVE ID: CVE-2022-1240
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: April 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1240, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)