lowCVE-2026-14758

CVE-2026-14758 radare2 vulnerability

A vulnerability was identified in radareorg radare2 up to 6.1.6. This vulnerability affects the function cmd_anal_opcode of the file libr/core/cmd_anal.inc.c of the component hexpairs Parser. Such manipulation leads to integer overflow. The attack needs to be performed locally. The exploit is publicly available and might be used. The name of the patch is 84e773986e7e5bb30453a9384f498ec0ccc9d0a9. A patch should be applied to remediate this issue.

Productradare2
CVSS1.9
EPSSNot scored yet
UpdatedJuly 13, 2026

Quick answer

radare2 should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CVE-2026-14758 affects radare2 when analyzing crafted local files or inputs. Install 6.1.8, ensure the referenced patch 84e773986e7e is present, and sandbox any workflow that processes untrusted binaries. Affected ranges in the local record are 6.1.0 through before 6.1.8.

  1. Inventory developer workstations, CI jobs, malware-analysis workers, upload pipelines, and services that invoke radare2 or link against radare2 libraries.
  2. Identify any workflow that analyzes files supplied by users, customers, scanners, malware feeds, crash reproducers, or automated test corpora.
  3. Upgrade radare2 to 6.1.8, or rebuild from upstream with the referenced security patch applied.
  4. Rebuild dependent tools and containers so they use the patched radare2 binary and libraries rather than an older system package.
  5. Run radare2 analysis in a sandbox with low privileges, resource limits, no sensitive filesystem access, and no production credentials.
  6. Temporarily block or quarantine untrusted file analysis until patched workers are deployed everywhere.
  7. Review crash reports and analysis logs for segmentation faults, heap corruption, integer overflows, use-after-free symptoms, or repeated crafted samples tied to CVE-2026-14758.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm radare2 version and package metadata show 6.1.8, or verify the relevant patch commit is included in the deployed build.
  • Run the affected parser or command path against known regression samples and confirm the process does not crash or corrupt memory.
  • Check CI and container images to ensure no older radare2 binary remains earlier in PATH or linked by dependent tools.
  • Open the generated Fixnx page and confirm the canonical URL ends with radare2-cve-2026-14758.
  • Re-run sitemap validation and confirm radare2-cve-2026-14758 appears once in sitemap.xml with the full CVE-2026-14758 suffix.

Trusted references

FAQ

What is affected by CVE-2026-14758?

radare2 should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.