CVE-2026-8695: radare2 Use-After-Free Allows Remote Code Execution
The National Vulnerability Database reports CVE-2026-8695, a critical use-after-free vulnerability in radare2 version 6.1.5. Specifically, the flaw exists within the gdbr_threads_list() function. Attackers can trigger memory corruption by chaining a valid qfThreadInfo response with a malformed qsThreadInfo response during GDB remote debugging.
This vulnerability carries a CVSSv3.1 score of 7.5 (HIGH), indicating a significant risk. The impact primarily involves denial of service but could escalate to remote code execution. Manipulating thread list processing allows an attacker to control memory, potentially injecting and executing malicious code. This isn’t just a crash; it’s a potential backdoor.
For defenders, this means any exposure of radare2 instances via GDB remote debugging is a serious concern. While radare2 is a reverse engineering tool, it’s often used in sandboxed or isolated environments. However, misconfigurations or exposed debugging interfaces could quickly turn this into a critical attack vector.
What This Means For You
- If your teams use radare2, especially for remote debugging, immediately verify that version 6.1.5 or earlier is not exposed to untrusted networks. Review all configurations for GDB remote debugging interfaces and ensure they are strictly firewalled or operate only over secure, authenticated channels. Prioritize patching or upgrading to a fixed version as soon as it's available to prevent denial of service or potential code execution.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8695: radare2 Use-After-Free in gdbr_threads_list
title: CVE-2026-8695: radare2 Use-After-Free in gdbr_threads_list
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
This rule detects the execution of radare2 with the debug flag, which is a precursor to exploiting the CVE-2026-8695 use-after-free vulnerability. The vulnerability is triggered when processing thread list information via GDB remote debugging, and this rule aims to catch the initial invocation of the vulnerable tool in a debugging context.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8695/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- 'C:\Program Files\radare2\radare2.exe'
- '/usr/local/bin/radare2'
CommandLine|contains:
- '-d'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8695 | Use After Free | radare2 version 6.1.5 |
| CVE-2026-8695 | Memory Corruption | radare2 gdbr_threads_list() function |
| CVE-2026-8695 | DoS | GDB remote debugging with malformed qsThreadInfo response |
| CVE-2026-8695 | RCE | GDB remote debugging with malformed qsThreadInfo response |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 20:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-46383 — Microsoft APM is an open-source, community-driven
CVE-2026-46383 — Microsoft APM is an open-source, community-driven dependency manager for AI agents. Prior to 0.13.0, Microsoft APM contains a Windows-specific archive extraction boundary failure...
Microsoft APM Vulnerability CVE-2026-45539 Exposes AI Agent Files
CVE-2026-45539 — Microsoft APM is an open-source, community-driven dependency manager for AI agents. From 0.5.4 to 0.12.4, two primitive integrators in apm-cli enumerate package files...
Tabby Terminal Vulnerability CVE-2026-45037 Allows OS Protocol Handler Hijack
CVE-2026-45037 — Tabby (formerly Terminus) is a highly configurable terminal emulator. Prior to 1.0.232, Tabby's terminal linkifier passes any detected URI directly to the operating...