Login Sign Up

CVE-2022-28072

7.5 HIGH
Buffer Overflow

📋 TL;DR

A heap buffer overflow vulnerability in the r_read_le32 function of radare2 versions 5.4.2 and 5.4.0 allows attackers to execute arbitrary code or cause denial of service. This affects users who process untrusted binary files with radare2, a reverse engineering framework. The vulnerability occurs when reading malformed input files.

💻 Affected Systems

Products:
  • radare2
Versions: 5.4.2 and 5.4.0 specifically
Operating Systems: All platforms running radare2 (Linux, Windows, macOS, etc.)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects these specific versions; earlier and later versions are not vulnerable.

📦 What is this software?

Radare2 by Radare

View all CVEs affecting Radare2 →

Radare2 by Radare

View all CVEs affecting Radare2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the radare2 process, potentially leading to full system compromise if radare2 runs with elevated privileges.

🟠

Likely Case

Application crash (denial of service) when processing malicious files, potentially corrupting analysis results.

🟢

If Mitigated

Limited impact if radare2 runs in sandboxed environments with minimal privileges and processes only trusted files.

🌐 Internet-Facing: LOW - radare2 is typically not exposed directly to the internet as a service.
🏢 Internal Only: MEDIUM - internal users could be tricked into analyzing malicious files, leading to local compromise.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting a malicious binary file that triggers the buffer overflow when parsed by radare2.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit 027cd9b7274988bb1af866539ba6c2fa2ff63e45 and later versions

Vendor Advisory: https://github.com/radareorg/radare2/commit/027cd9b7274988bb1af866539ba6c2fa2ff63e45

Restart Required: No

Instructions:

1. Update radare2 to the latest version from the official repository. 2. Rebuild from source if using compiled versions. 3. Verify the fix by checking the commit hash includes 027cd9b7274988bb1af866539ba6c2fa2ff63e45.

🔧 Temporary Workarounds

Avoid processing untrusted files

all

Restrict radare2 usage to trusted binary files only.

Run radare2 with reduced privileges

linux

Execute radare2 with non-root/non-admin privileges to limit potential damage.

sudo -u lowprivuser radare2 [file]

🧯 If You Can't Patch

  • Downgrade to radare2 version 5.4.1 or earlier, which are not affected.
  • Use alternative reverse engineering tools for analyzing untrusted files.

🔍 How to Verify

Check if Vulnerable:

Check radare2 version with 'r2 -v'. If output shows 5.4.2 or 5.4.0, the system is vulnerable.

Check Version:

r2 -v

Verify Fix Applied:

After updating, verify the commit hash includes 027cd9b7274988bb1af866539ba6c2fa2ff63e45 using 'r2 -V' or check the source code.

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault or crash logs from radare2 processes
  • Unexpected process termination of radare2

SIEM Query:

ProcessName="radare2" AND (EventID="1000" OR EventID="1001")

📊 Metadata

CVE ID: CVE-2022-28072
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-787
Published: August 22, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28072, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)