Login Sign Up

CVE-2023-4322

9.8 CRITICAL
Remote Code Execution Denial of Service

📋 TL;DR

A heap-based buffer overflow vulnerability in radare2 versions prior to 5.9.0 allows attackers to execute arbitrary code or cause denial of service. This affects users of the radare2 reverse engineering framework who process untrusted input files. The vulnerability is remotely exploitable with high impact.

💻 Affected Systems

Products:
  • radare2
Versions: All versions prior to 5.9.0
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability triggers when processing specially crafted input files through radare2's analysis functions.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Radare2 by Radare

View all CVEs affecting Radare2 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Application crash (denial of service) or limited code execution in the context of the radare2 process.

🟢

If Mitigated

No impact if patched or if radare2 is not used to analyze untrusted files.

🌐 Internet-Facing: MEDIUM - radare2 is typically used offline, but could be exposed via web interfaces or automated analysis systems.
🏢 Internal Only: HIGH - if used internally to analyze malicious files, could lead to lateral movement within networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept available through huntr.dev bounty details. Exploitation requires feeding malicious input to radare2.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.9.0 and later

Vendor Advisory: https://github.com/radareorg/radare2/commit/ba919adb74ac368bf76b150a00347ded78b572dd

Restart Required: No

Instructions:

1. Update radare2 to version 5.9.0 or later using your package manager. 2. For source installations: git clone https://github.com/radareorg/radare2 && cd radare2 && sys/install.sh

🔧 Temporary Workarounds

Restrict file processing

all

Limit radare2 to trusted files only and avoid processing untrusted input.

Sandbox execution

linux

Run radare2 in a container or sandboxed environment to limit impact.

docker run --rm -v $(pwd):/work radareorg/radare2:latest r2 /work/file

🧯 If You Can't Patch

  • Disable or remove radare2 from production systems
  • Implement strict file validation and only allow trusted, verified files to be analyzed

🔍 How to Verify

Check if Vulnerable:

Check radare2 version: r2 -v | grep version

Check Version:

r2 -v | grep version

Verify Fix Applied:

Confirm version is 5.9.0 or higher: r2 -v | grep -q '5.9.0\|5.9.\|5.1[0-9]' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

  • Segmentation fault or crash logs from radare2 process
  • Unusual memory allocation patterns in system logs

Network Indicators:

  • Unexpected network connections originating from radare2 process

SIEM Query:

process_name:"r2" AND (event_type:"crash" OR memory_usage:"spike")

📊 Metadata

CVE ID: CVE-2023-4322
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: August 14, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-4322, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)