CVE-2022-28071 in radare2
Summary
by MITRE • 08/22/2023
A use after free in r_reg_get_name_idx function in radare2 5.4.2 and 5.4.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/13/2026
The vulnerability under examination represents a use-after-free condition within the r_reg_get_name_idx function of radare2 versions 5.4.2 and 5.4.0, classified as a critical memory safety flaw that can lead to arbitrary code execution. This issue stems from improper memory management where a pointer reference is accessed after the memory it points to has been deallocated, creating a potential exploitation vector for malicious actors. The flaw exists in the register management subsystem of radare2, which is a widely-used reverse engineering framework and binary analysis tool.
The technical implementation of this vulnerability occurs when the r_reg_get_name_idx function processes register name lookups and fails to properly validate or manage the lifecycle of memory allocations. Specifically, when a register name is resolved to an index, the function may return a pointer to memory that has already been freed, allowing attackers to manipulate the freed memory location for exploitation purposes. This condition typically arises from inadequate reference counting or memory deallocation timing issues within the register database management logic. The vulnerability manifests when the application attempts to access previously freed memory structures during register name resolution operations, creating opportunities for heap-based attacks.
The operational impact of this vulnerability is significant as it can be exploited by attackers to achieve arbitrary code execution within the context of the radare2 process. An attacker could potentially manipulate register name lookups to trigger the use-after-free condition, leading to remote code execution, privilege escalation, or denial of service scenarios. The affected versions 5.4.2 and 5.4.0 represent a substantial portion of radare2 users who could be impacted by this flaw, given the tool's widespread adoption in security research, malware analysis, and binary exploitation activities. This vulnerability directly affects the integrity and availability of reverse engineering environments where radare2 is deployed.
Mitigation strategies for this vulnerability involve immediate patching of affected radare2 versions to the latest stable releases that contain memory safety fixes. System administrators and security teams should prioritize updating their radare2 installations to prevent exploitation. Additionally, implementing runtime protections such as address space layout randomization, stack canaries, and heap metadata protections can help reduce exploitability. The vulnerability aligns with CWE-416, which specifically addresses use-after-free conditions in memory management, and may map to ATT&CK technique T1059 for execution through command-line interfaces. Organizations should also consider implementing application whitelisting and monitoring for suspicious memory access patterns to detect potential exploitation attempts.