Login Sign Up

CVE-2022-28068

7.5 HIGH

📋 TL;DR

CVE-2022-28068 is a heap buffer overflow vulnerability in the r_sleb128 function of radare2, a popular reverse engineering framework. Attackers can exploit this by providing specially crafted input to cause memory corruption, potentially leading to arbitrary code execution or denial of service. Users of radare2 versions 5.4.0 and 5.4.2 are affected.

💻 Affected Systems

Products:
  • radare2
Versions: 5.4.0 and 5.4.2
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: All installations of affected versions are vulnerable when processing malicious input through the r_sleb128 function.

📦 What is this software?

Radare2 by Radare

View all CVEs affecting Radare2 →

Radare2 by Radare

View all CVEs affecting Radare2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the radare2 process, potentially leading to complete system compromise if radare2 runs with elevated privileges.

🟠

Likely Case

Application crash (denial of service) or limited memory corruption leading to unstable behavior.

🟢

If Mitigated

Minimal impact if radare2 runs in sandboxed environments with limited privileges and no untrusted input processing.

🌐 Internet-Facing: LOW - radare2 is typically used as a local analysis tool, not exposed to internet traffic.
🏢 Internal Only: MEDIUM - While primarily local, radare2 might process untrusted files from internal sources, creating attack vectors within networks.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting specific input to trigger the buffer overflow, but no public proof-of-concept has been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.4.3 and later

Vendor Advisory: https://github.com/radareorg/radare2/commit/637f4bd1af6752e28e0a9998e954e2e9ce6fa992

Restart Required: No

Instructions:

1. Update radare2 to version 5.4.3 or later using your package manager. 2. For manual installation: git clone https://github.com/radareorg/radare2 && cd radare2 && sys/install.sh

🔧 Temporary Workarounds

Restrict file processing

all

Limit radare2 to processing only trusted files from verified sources.

Run with reduced privileges

linux

Execute radare2 with minimal user privileges to limit potential damage from exploitation.

sudo -u lowprivilegeuser r2 target_file

🧯 If You Can't Patch

  • Isolate radare2 usage to dedicated systems with no network access
  • Implement strict input validation for all files processed by radare2

🔍 How to Verify

Check if Vulnerable:

Check radare2 version with 'r2 -v' and verify if it's 5.4.0 or 5.4.2

Check Version:

r2 -v | grep -o '\d\.\d\.\d'

Verify Fix Applied:

After updating, confirm version is 5.4.3 or later with 'r2 -v'

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault or crash logs from radare2 processes
  • Abnormal memory usage patterns in system logs

Network Indicators:

  • Unusual outbound connections from systems running radare2

SIEM Query:

process_name:"r2" AND (event_type:"crash" OR memory_usage:>threshold)

📊 Metadata

CVE ID: CVE-2022-28068
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: August 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28068, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)