Login Sign Up

CVE-2022-1899

9.1 CRITICAL

📋 TL;DR

CVE-2022-1899 is an out-of-bounds read vulnerability in radare2, a popular reverse engineering framework. This vulnerability allows attackers to read memory beyond allocated buffers, potentially exposing sensitive information or causing crashes. Users of radare2 versions prior to 5.7.0 are affected.

💻 Affected Systems

Products:
  • radare2
Versions: All versions prior to 5.7.0
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of radare2 before 5.7.0 are vulnerable regardless of configuration.

📦 What is this software?

Radare2 by Radare

View all CVEs affecting Radare2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure of sensitive memory contents, including credentials, cryptographic keys, or other application data, potentially leading to full system compromise if combined with other vulnerabilities.

🟠

Likely Case

Application crash (denial of service) or limited information disclosure from adjacent memory regions.

🟢

If Mitigated

Minimal impact if proper memory protections (ASLR, DEP) are enabled and the application runs with limited privileges.

🌐 Internet-Facing: LOW - radare2 is typically used as a local analysis tool, not exposed to internet.
🏢 Internal Only: MEDIUM - Could be exploited by malicious files analyzed locally or through shared analysis environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user to open a malicious file with radare2. The vulnerability was discovered through bounty program with proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.0 and later

Vendor Advisory: https://github.com/radareorg/radare2/commit/193f4fe01d7f626e2ea937450f2e0c4604420e9d

Restart Required: No

Instructions:

1. Update radare2 to version 5.7.0 or later using your package manager. 2. For source installations: git pull from repository and rebuild. 3. Verify installation with 'r2 -v'.

🔧 Temporary Workarounds

Restrict file analysis

all

Only analyze trusted files with radare2 until patched

Run with reduced privileges

linux

Execute radare2 with non-privileged user account to limit impact

sudo -u nonprivileged_user r2 file_to_analyze

🧯 If You Can't Patch

  • Isolate radare2 usage to dedicated analysis VMs with no network access
  • Implement strict file validation before analysis and monitor for crashes

🔍 How to Verify

Check if Vulnerable:

Run 'r2 -v' and check if version is below 5.7.0

Check Version:

r2 -v | grep -o '\d\.\d\.\d'

Verify Fix Applied:

Confirm version is 5.7.0 or higher with 'r2 -v' and test with known malicious files if available

📡 Detection & Monitoring

Log Indicators:

  • Radare2 process crashes
  • Segmentation faults in system logs
  • Abnormal memory access patterns

Network Indicators:

  • Typically none as this is local exploitation

SIEM Query:

process_name:"r2" AND (event_type:"crash" OR exit_code:139)

📊 Metadata

CVE ID: CVE-2022-1899
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-125
Published: May 26, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1899, you might also want to check these:

CVE-2021-41556 10.0

CVE-2021-41556 is a critical out-of-bounds read vulnerability in Squirrel scripting language that al...

Same vulnerability type (CWE-125)
CVE-2024-22004 10.0

This vulnerability allows attackers with privileged access on Linux non-secure operating systems to ...

Same vulnerability type (CWE-125)
CVE-2021-21777 10.0

CVE-2021-21777 is a critical out-of-bounds read vulnerability in the Ethernet/IP UDP handler of OpEN...

Same vulnerability type (CWE-125)