CVE-2025-60359
📋 TL;DR
CVE-2025-60359 is a memory leak vulnerability in radare2's r_bin_object_new function that allows attackers to cause denial of service through resource exhaustion. This affects users of radare2 reverse engineering framework versions 5.9.8 and earlier. The vulnerability requires local access or ability to feed malicious input to the application.
💻 Affected Systems
- radare2
📦 What is this software?
Radare2 by Radare
⚠️ Risk & Real-World Impact
Worst Case
Sustained exploitation could lead to complete system memory exhaustion, causing radare2 to crash and potentially affecting system stability if memory is not properly managed.
Likely Case
Degraded performance of radare2 over time, eventual application crash when processing certain binary files, requiring restart of the analysis session.
If Mitigated
Minimal impact with proper memory management and process isolation; radare2 crashes but doesn't affect other system processes.
🎯 Exploit Status
Exploitation requires crafting or obtaining specific binary files that trigger the memory leak when analyzed. No authentication bypass needed but requires user interaction or automated analysis of malicious files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.9 or later
Vendor Advisory: https://github.com/radareorg/radare2/pull/24215
Restart Required: No
Instructions:
1. Update radare2 to version 5.9.9 or later using your package manager or from source. 2. For source installation: git clone https://github.com/radareorg/radare2 && cd radare2 && sys/install.sh. 3. Verify installation with 'r2 -v'.
🔧 Temporary Workarounds
Limit binary analysis scope
allRestrict radare2 to analyzing only trusted binary files from known sources
Process isolation
LinuxRun radare2 in containerized or sandboxed environments with memory limits
docker run --memory=512m -it radareorg/radare2
🧯 If You Can't Patch
- Monitor radare2 process memory usage and restart when excessive consumption detected
- Implement strict file validation before feeding binaries to radare2 for analysis
🔍 How to Verify
Check if Vulnerable:
Run 'r2 -v' and check if version is 5.9.8 or earlier. If version string contains '5.9.8' or lower number, system is vulnerable.Check Version:
r2 -v | grep -o '\d\.\d\.\d+'Verify Fix Applied:
After updating, run 'r2 -v' and confirm version is 5.9.9 or higher. Test with previously problematic binary files and monitor memory usage.📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption patterns by radare2 processes
- Frequent radare2 crashes with memory-related error messages
- High swap usage during binary analysis sessions
Network Indicators:
- N/A - This is a local vulnerability
SIEM Query:
ProcessName="radare2" AND (MemoryUsage>500MB OR EventID=1000)