{"id":"CVE-2018-11383","details":"The r_strbuf_fini() function in radare2 2.5.0 allows remote attackers to cause a denial of service (invalid free and application crash) via a crafted ELF file because of an uninitialized variable in the CPSE handler in libr/anal/p/anal_avr.c.","modified":"2026-04-11T06:58:40.563788Z","published":"2018-05-22T19:29:00.617Z","references":[{"type":"ADVISORY","url":"https://github.com/radare/radare2/issues/9943"},{"type":"FIX","url":"https://github.com/radare/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/radare/radare2","events":[{"introduced":"0"},{"last_affected":"c2b7d11ca74cd98eba8912d94ec0973cf2965697"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.5.0"}]}},{"type":"GIT","repo":"https://github.com/radareorg/radare2","events":[{"introduced":"0"},{"fixed":"9d348bcc2c4bbd3805e7eec97b594be9febbdf9a"}]}],"versions":["0.10.0","0.10.1","0.10.2","0.10.3","0.10.4","0.10.4-termux4","0.10.5","0.10.6","0.8.6","0.8.8","0.9","0.9.2","0.9.4","0.9.6","0.9.7","0.9.8","0.9.8-rc1","0.9.8-rc2","0.9.8-rc3","0.9.8-rc4","0.9.9","1.0","1.0.0","1.0.1","1.0.2","1.1.0","1.2.0","1.2.0-git","1.3.0","1.3.0-git","1.4.0","1.5.0","1.6.0","2.0.0","2.0.1","2.1.0","2.2.0","2.4.0","2.5.0","radare2-windows-nightly","termux"],"database_specific":{"vanir_signatures_modified":"2026-04-11T06:58:40Z","vanir_signatures":[{"deprecated":false,"id":"CVE-2018-11383-bbbe278c","signature_version":"v1","signature_type":"Line","source":"https://github.com/radareorg/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a","target":{"file":"libr/anal/p/anal_avr.c"},"digest":{"line_hashes":["47270229814842832929366968196727967885","126669755649315053909664126447875466395","21781600489549702972163629473157356904","184442265832565846871651635268013892995"],"threshold":0.9}},{"deprecated":false,"id":"CVE-2018-11383-d5ff7c64","signature_version":"v1","signature_type":"Function","source":"https://github.com/radareorg/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a","target":{"function":"INST_HANDLER","file":"libr/anal/p/anal_avr.c"},"digest":{"function_hash":"2956492097207907596166250278438024525","length":455}},{"deprecated":false,"id":"CVE-2018-11383-e2e6a765","signature_version":"v1","signature_type":"Line","source":"https://github.com/radareorg/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a","target":{"file":"libr/core/cmd_anal.c"},"digest":{"line_hashes":["240740428937564269147966087675452016894","55469616256702758172118333612830257686","84368723211342369985709478460472691626","4016314567113082973067168157201977007","195047055111794583475820447890840620557"],"threshold":0.9}},{"deprecated":false,"id":"CVE-2018-11383-f7104bde","signature_version":"v1","signature_type":"Function","source":"https://github.com/radareorg/radare2/commit/9d348bcc2c4bbd3805e7eec97b594be9febbdf9a","target":{"function":"cmd_anal_esil","file":"libr/core/cmd_anal.c"},"digest":{"function_hash":"10219425347577413704488991727129091068","length":10058}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11383.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}