radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityuse-after-freecwe-416
radare2 Use-After-Free (CVE-2026-8696) Risks Denial of Service, RCE

The National Vulnerability Database reports a high-severity use-after-free vulnerability, CVE-2026-8696, in radare2 version 6.1.5. Specifically, the flaw exists within the gdbr_pids_list() function of the GDB client core. This critical vulnerability permits remote attackers to trigger a denial of service or potentially achieve arbitrary code execution by sending malformed thread information responses.

Attackers exploit this by causing qsThreadInfo to fail after qfThreadInfo successfully allocates RDebugPid structures. This leads to a double-free memory corruption during error path cleanup. The National Vulnerability Database assigns a CVSS v3.1 score of 7.5 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, highlighting its network-exploitable nature without user interaction.

While specific affected products beyond radare2 6.1.5 are not detailed, any systems or workflows utilizing this version of radare2, particularly its GDB client capabilities, are at immediate risk. Defenders must recognize that a remote, unauthenticated attacker can crash the application or, worse, gain control, making this a prime target for initial access or disruption.

What This Means For You

  • If your teams use radare2 6.1.5 for reverse engineering, debugging, or exploit development, you are exposed. This isn't just a crash; it's a potential RCE from a remote attacker, no user interaction needed. Audit your environments for radare2 instances and prioritize patching or isolating any version 6.1.5 deployments immediately. Understand that an attacker's calculus here is simple: unauthenticated access to a powerful analysis tool often means a foothold on a high-value system.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1204.002 Malicious File Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1204.002 Execution

CVE-2026-8696 - Radare2 Use-After-Free in GDB Client

Sigma YAML — free preview 
title: CVE-2026-8696 - Radare2 Use-After-Free in GDB Client
id: scw-2026-05-15-ai-1
status: experimental
level: critical
description: |
  Detects the execution of radare2 (r2) in debug mode, potentially interacting with GDB, which is the context where the CVE-2026-8696 use-after-free vulnerability in the gdbr_pids_list() function resides. This rule aims to identify the initial trigger of the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8696/
tags:
  - attack.execution
  - attack.t1204.002
logsource:
    category: process_creation
detection:
  selection:
      Image|contains:
          - 'r2'
      CommandLine|contains:
          - '-d'
          - 'gdb'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8696 Use After Free radare2 version 6.1.5
CVE-2026-8696 Use After Free Vulnerable function: gdbr_pids_list() in GDB client core
CVE-2026-8696 Denial of Service Trigger: Malformed thread information responses causing qsThreadInfo to fail after qfThreadInfo allocates RDebugPid structures
CVE-2026-8696 Memory Corruption Double-free due to error path cleanup after qsThreadInfo failure

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 16, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Open WebUI XSS Allows Privilege Escalation to Super Admin

CVE-2026-45665 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists...

vulnerabilityCVEhigh-severitycross-site-scripting-xsscwe-79
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence

CVE-2026-45351 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.9, when a regular user [non-admin] logs into...

vulnerabilityCVEmedium-severitycwe-200
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-45350: Open WebUI API Flaw Exposes Tools to Unauthorized Access

CVE-2026-45350 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.6, there is a vulnerability in chat completion...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma