Description
A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS".
Published: 2026-03-15
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability resides in the walk_exports_trie function of Radare2's Mach‑O file parser (libr/bin/format/mach0/mach0.c). An attacker can craft a Mach‑O binary that, when parsed, causes the function to consume excessive memory or CPU resources, leading to a denial‑of‑service condition. This weakness aligns with CWE‑1050 (Untrusted Resource Consumption), CWE‑400 (Resource Exhaustion), and CWE‑404 (Improper Resource Shutdown or Release).

Affected Systems

Affected systems are installations of Radare2, specifically version 5.9.9 and any earlier releases that have not applied the bug fix. The fix is available in Radare2 6.1.2 and is identified by commit 4371ae84c99c46b48cb21badbbef06b30757aba0.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity, while the EPSS score is below 1 %, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires local access to the Radare2 environment; an attacker must provide a malicious Mach‑O file to the vulnerable parser. Because the attack is local and the impact is resource consumption, the overall risk remains moderate to low.

Generated by OpenCVE AI on March 17, 2026 at 01:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply patch commit 4371ae84c99c46b48cb21badbbef06b30757aba0
  • Upgrade Radare2 to version 6.1.2 or later

Generated by OpenCVE AI on March 17, 2026 at 01:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Radare
Radare radare2
Vendors & Products Radare
Radare radare2

Sun, 15 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The existence of this vulnerability is still disputed at present. Upgrading to version 6.1.2 is capable of addressing this issue. The name of the patch is 4371ae84c99c46b48cb21badbbef06b30757aba0. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS".
Title Radare2 Mach-O File mach0.c walk_exports_trie resource consumption
Weaknesses CWE-400
CWE-404
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Radare Radare2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-17T15:14:43.360Z

Reserved: 2026-03-14T15:08:42.451Z

Link: CVE-2026-4174

cve-icon Vulnrichment

Updated: 2026-03-17T15:14:38.343Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:57.890

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4174

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-15T10:32:10Z

Links: CVE-2026-4174 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:54Z

Weaknesses