Login Sign Up

CVE-2022-1297

9.1 CRITICAL
Denial of Service

📋 TL;DR

CVE-2022-1297 is an out-of-bounds read vulnerability in the r_bin_ne_get_entrypoints function of radare2, a reverse engineering framework. Attackers can exploit this to read sensitive memory contents or cause application crashes. Users of radare2 versions prior to 5.6.8 are affected.

💻 Affected Systems

Products:
  • radare2
Versions: All versions prior to 5.6.8
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when analyzing specially crafted NE (New Executable) format files.

📦 What is this software?

Radare2 by Radare

View all CVEs affecting Radare2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, potentially including credentials, cryptographic keys, or other application data, leading to complete system compromise.

🟠

Likely Case

Application crash (denial of service) or limited information disclosure from adjacent memory regions.

🟢

If Mitigated

Minimal impact if proper memory protections (ASLR, DEP) are enabled and the application runs with limited privileges.

🌐 Internet-Facing: LOW - radare2 is typically used as a local analysis tool, not exposed to internet.
🏢 Internal Only: MEDIUM - Could be exploited by malicious files analyzed locally or in shared analysis environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept available in commit references; exploitation requires user to analyze malicious NE file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.6.8 and later

Vendor Advisory: https://github.com/radareorg/radare2/commit/0a557045476a2969c7079aec9eeb29d02f2809c6

Restart Required: No

Instructions:

1. Update radare2 to version 5.6.8 or later. 2. On Linux/macOS: Use package manager or compile from source. 3. On Windows: Download updated binary from official repository.

🔧 Temporary Workarounds

Avoid NE file analysis

all

Temporarily avoid analyzing New Executable (NE) format files with vulnerable radare2 versions.

Run with reduced privileges

linux

Execute radare2 with minimal user privileges to limit impact of potential memory disclosure.

sudo -u nobody radare2 [file]

🧯 If You Can't Patch

  • Restrict radare2 usage to trusted users only
  • Implement application allowlisting to prevent execution of untrusted radare2 instances

🔍 How to Verify

Check if Vulnerable:

Check radare2 version: if below 5.6.8, system is vulnerable.

Check Version:

r2 -v | head -1

Verify Fix Applied:

Confirm radare2 version is 5.6.8 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults when processing NE files
  • Unusual memory access patterns in system logs

Network Indicators:

  • Typically none - local exploitation only

SIEM Query:

Process:radare2 AND (EventID:1000 OR Signal:SIGSEGV)

📊 Metadata

CVE ID: CVE-2022-1297
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: April 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1297, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)