Impact
A local integer overflow flaw was found in radare2’s cmd_print function, which can be triggered by improper handling of user‑supplied data. The bug can allow an attacker with local execution privileges to cause program crashes. The affected code resides in libr/core/cmd_print.inc of the pb Print Command Handler component, and the flaw is limited to lifecycle manipulation of the function’s internal counters. The vulnerability is classified under CWE‑189 and CWE‑190 and has a CVSS score of 4.8, indicating moderate severity when exploited locally.
Affected Systems
The vulnerable product is radareorg radare2 version 6.1.6 and earlier. Administrators should verify against the specific commit hash 2b6265476c75567006b0fcbb749f4ae7b189c5df, which introduces the fix, and consider upgrading to any release newer than 6.1.6. No other vendors or products are currently listed as affected.
Risk and Exploitability
The CVSS score of 4.8 suggests moderate risk, and the exploit is publicly available, albeit limited to users who can run radare2 locally. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Because the attack vector is local, an adversary would require physical or remote access that provides shell or file‑system capabilities on the target machine. The absence of network‑based disclosure reduces the breadth of potential impact, but the local nature of the attack still demands prompt remediation.
OpenCVE Enrichment