In radare2 through 4.0, there is an integer overflow for the variable newtokensize in the function rasmmassemble at libr/asm/asm.c. This integer overflow will result in a Use-After-Free for the buffer tokens, which can be filled with arbitrary malicious data after the free. This allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via crafted input.
{ "binaries": [ { "binary_name": "libradare2-4.2.1", "binary_version": "4.2.1+dfsg-1" }, { "binary_name": "libradare2-4.2.1-dbgsym", "binary_version": "4.2.1+dfsg-1" }, { "binary_name": "libradare2-common", "binary_version": "4.2.1+dfsg-1" }, { "binary_name": "libradare2-dev", "binary_version": "4.2.1+dfsg-1" }, { "binary_name": "radare2", "binary_version": "4.2.1+dfsg-1" }, { "binary_name": "radare2-dbgsym", "binary_version": "4.2.1+dfsg-1" } ], "ubuntu_priority": "medium", "availability": "No subscription required" }
{ "binaries": [ { "binary_name": "libradare2-5.0.0", "binary_version": "5.5.0+dfsg-1ubuntu1" }, { "binary_name": "libradare2-5.0.0-dbgsym", "binary_version": "5.5.0+dfsg-1ubuntu1" }, { "binary_name": "libradare2-common", "binary_version": "5.5.0+dfsg-1ubuntu1" }, { "binary_name": "libradare2-dev", "binary_version": "5.5.0+dfsg-1ubuntu1" }, { "binary_name": "radare2", "binary_version": "5.5.0+dfsg-1ubuntu1" }, { "binary_name": "radare2-dbgsym", "binary_version": "5.5.0+dfsg-1ubuntu1" } ], "ubuntu_priority": "medium", "availability": "No subscription required" }