CVE-2026-31053 - Vulnerability Details

Description

A double free vulnerability exists in librz/bin/format/le/le.c in the function le_load_fixup_record(). When processing malformed or circular LE fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated on a service pipeline.

Published: 2026-04-06

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a double free bug in the LE loader of the Rizin reverse‑engineering framework. The le_load_fixup_record() function may release the same relocation entry more than once when parsing malformed or circular LE fixup chains. This double free can corrupt heap metadata, leading to an application crash that manifests as a denial of service.

Affected Systems

The affected product is Rizin version 0.8.1, as indicated by the CPE string provided. The issue resides specifically in the librz/bin/format/le/le.c source file. No other vendors or products are listed. An attacker would need to supply a malicious LE binary to the tool.

Risk and Exploitability

The CVSS score of 6.2 denotes a moderate severity, while the EPSS score of less than 1% suggests limited evidence of exploitation. The vulnerability is not currently catalogued in CISA's KEV list. Exploitation requires the attacker to control the binary that is parsed, so the attack vector is more likely local or within a service pipeline that automatically processes user‑supplied binaries. In the absence of the patch, the risk stays low but could grow if the tool is run unattended.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:rizin:rizin:0.8.1:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Rizin

80%

Version	Status	Scheme	Platform
`—`	affected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Rizin to a version containing the fix from PR #5795 (for example, release 0.8.2 or later).
If an update is not yet available, avoid processing user‑supplied LE binaries or implement pre‑validation checks to detect malformed chains before loading.
Monitor logs and crash reports for any instances of Rizin termination, and isolate any affected service processes.

Generated by OpenCVE AI on April 14, 2026 at 21:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00015.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/rizinorg/rizin/issues/5753
https://github.com/rizinorg/rizin/pull/5795

History

Wed, 15 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title	Double Free in Rizin LE Loader Causing Denial of Service

Tue, 14 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:rizin:rizin:0.8.1:::::::*

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		Double Free in Rizin LE Loader Causing Denial of Service

Tue, 07 Apr 2026 08:00:00 +0000

Type	Values Removed	Values Added
Title	Heap Double‑Free in Rizin LE Binary Loader Leading to Denial of Service
Weaknesses	CWE-416

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Title		Heap Double‑Free in Rizin LE Binary Loader Leading to Denial of Service
First Time appeared		Rizin Rizin rizin
Weaknesses		CWE-415 CWE-416
Vendors & Products		Rizin Rizin rizin
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		A double free vulnerability exists in librz/bin/format/le/le.c in the function le_load_fixup_record(). When processing malformed or circular LE fixup chains, relocation entries may be freed multiple times during error handling. A specially crafted LE binary can trigger heap corruption and cause the application to crash, resulting in a denial-of-service condition. An attacker with a crafted binary could cause a denial of service when the tool is integrated on a service pipeline.
References		https://github.com/rizinorg/rizin/issues/5753 https://github.com/rizinorg/rizin/pull/5795

Subscriptions

Rizin Rizin

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-06T00:00:00.000Z

Updated: 2026-04-06T19:42:43.611Z

Reserved: 2026-03-09T00:00:00.000Z

Link: CVE-2026-31053

Vulnrichment

Updated: 2026-04-06T19:42:15.663Z

NVD

Status : Analyzed

Published: 2026-04-06T15:17:07.953

Modified: 2026-04-14T19:12:31.837

Link: CVE-2026-31053

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-415

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object