CVE-2022-28070 – A null pointer dereference vulnerability in rad... (How to Fix)

Q: What is the severity of CVE-2022-28070?

CVE-2022-28070 has a CVSS score of 7.5 (HIGH). A null pointer dereference vulnerability in radare2's __core_anal_fcn function allows attackers to cause denial of service or potentially execute arbitrary code by crashing the application. This affects users of radare2 versions 5.4.0 and 5.4.2 who analyze untrusted binary files.

📋 TL;DR

A null pointer dereference vulnerability in radare2's __core_anal_fcn function allows attackers to cause denial of service or potentially execute arbitrary code by crashing the application. This affects users of radare2 versions 5.4.0 and 5.4.2 who analyze untrusted binary files.

💻 Affected Systems

Products:

radare2

Versions: 5.4.0 and 5.4.2

Operating Systems: Linux, Windows, macOS, BSD

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when analyzing binary files with the affected function. Not vulnerable in all usage scenarios.

📦 What is this software?

Radare2 by Radare

View all CVEs affecting Radare2 →

Radare2 by Radare

View all CVEs affecting Radare2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with other vulnerabilities or memory corruption techniques.

🟠

Likely Case

Application crash (denial of service) when processing specially crafted binary files.

🟢

If Mitigated

Limited to denial of service with proper sandboxing and input validation.

🌐 Internet-Facing: LOW - radare2 is typically used locally for binary analysis, not as an internet-facing service.

🏢 Internal Only: MEDIUM - Internal security researchers and developers using radare2 on untrusted binaries could be affected.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting a malicious binary file that triggers the null pointer dereference. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.4.3 and later

Vendor Advisory: https://github.com/radareorg/radare2/commit/4aff1bb00224de4f5bc118f987dfd5d2fe3450d0

Restart Required: No

Instructions:

1. Update radare2 to version 5.4.3 or later using your package manager. 2. For source installations: git pull from the radare2 repository and rebuild. 3. Verify the fix by checking the version with 'r2 -v'.

🔧 Temporary Workarounds

Avoid untrusted binary analysis

all

Do not use radare2 to analyze untrusted or unknown binary files until patched.

Use sandboxed environment

linux

Run radare2 in a container or virtual machine when analyzing potentially malicious binaries.

docker run --rm -it radareorg/radare2:latest

🧯 If You Can't Patch

Restrict radare2 usage to trusted binaries only
Implement strict file validation and scanning before analysis

🔍 How to Verify

Check if Vulnerable:

Check radare2 version with 'r2 -v'. If version is 5.4.0 or 5.4.2, the system is vulnerable.

Check Version:

r2 -v

Verify Fix Applied:

After updating, verify version is 5.4.3 or later with 'r2 -v'.

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from radare2 process
Abnormal termination of radare2 sessions

Network Indicators:

Not applicable - local tool

SIEM Query:

Process:radare2 AND (EventID:1000 OR Signal:SIGSEGV)

📊 Metadata

CVE ID: CVE-2022-28070

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-476

Published: August 22, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/radareorg/radare2/commit/4aff1bb00224de4f5bc118f987dfd5d2fe3450d0 Patch,Third Party Advisory
https://github.com/radareorg/radare2/commit/4aff1bb00224de4f5bc118f987dfd5d2fe3450d0 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28070, you might also want to check these: