{"id":"CVE-2022-28068","details":"A heap buffer overflow in r_sleb128 function in radare2 5.4.2 and 5.4.0.","modified":"2026-04-11T22:01:42.972124Z","published":"2023-08-22T19:16:22.423Z","references":[{"type":"FIX","url":"https://github.com/radareorg/radare2/commit/637f4bd1af6752e28e0a9998e954e2e9ce6fa992"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/radare/radare2","events":[{"introduced":"0"},{"last_affected":"df953a40887aa5dc947ca3c08d70e39359f9c0e3"},{"introduced":"0"},{"last_affected":"84e6cc6a21ec1c816d4d3eb3510d2cdc94330414"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"5.4.0"},{"introduced":"0"},{"last_affected":"5.4.2"}]}},{"type":"GIT","repo":"https://github.com/radareorg/radare2","events":[{"introduced":"0"},{"fixed":"637f4bd1af6752e28e0a9998e954e2e9ce6fa992"}]}],"versions":["0.10.0","0.10.1","0.10.2","0.10.3","0.10.4","0.10.4-termux4","0.10.5","0.10.6","0.8.6","0.8.8","0.9","0.9.2","0.9.4","0.9.6","0.9.7","0.9.8","0.9.8-rc1","0.9.8-rc2","0.9.8-rc3","0.9.8-rc4","0.9.9","1.0","1.0.0","1.0.1","1.0.2","1.1.0","1.2.0","1.2.0-git","1.3.0","1.3.0-git","1.4.0","1.5.0","1.6.0","2.0.0","2.0.1","2.1.0","2.2.0","2.4.0","2.5.0","2.6.0","2.6.9","2.7.0","2.8.0","2.9.0","3.0.0","3.0.1","3.1.0","3.1.1","3.1.2","3.1.3","3.2.0","3.2.1","3.3.0","3.4.0","3.4.1","3.5.0","3.5.1","3.6.0","3.7.0","3.7.1","3.8.0","3.9.0","4.0.0","4.1.0","4.1.1","4.2.0","4.2.1","4.3.0","4.3.1","4.4.0","4.5.1","5.0.0","5.1.0","5.1.1","5.2.0","5.2.1","5.3.0","5.3.1","5.4.0","5.4.0-git","5.4.2","Continuous-Windows","continuous","radare2-windows-nightly","release-5.0.0","termux"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-28068.json","vanir_signatures_modified":"2026-04-11T22:01:42Z","vanir_signatures":[{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["113837310268751448641403520284314812811","206688385093915369104097403104644720568","218099256406656212753611725523765836218","30507648515732160706688115558476191857","239035140707503037010471151689633606910","258908663129137101848959621218764528207","335376066240700029054636823905917883579","233674267950573847692643077292406997111","264398132028989539020330616796105961426","37749535327945142470311525596678974825","202616321936041362404375802625483100988","245223709205287354195091292829153899824","296075304100906190052998259140835302351","217548883087933380467182783140133997739","213516188384106055895269244112698154155","274508398396134117530309629974257745171","2481241751616234209358577912809522606","180873842160432547409560798588096564109","136808839989247509364601328491274072736","293433430048895794929028640315133940158","188359166997355383253660578089051140815","5475766128709698867215720479269445193","224382174109098481271058031436060486414","114796835824639032197401226091527528534","311610227294147671784721435395916121740","16613822707924235879918298289391541407","192472961614426703705863445508219324534","40151045710128673145912214578937707024"]},"signature_type":"Line","id":"CVE-2022-28068-14f38dc0","deprecated":false,"source":"https://github.com/radareorg/radare2/commit/637f4bd1af6752e28e0a9998e954e2e9ce6fa992","target":{"file":"libr/bin/dwarf.c"}},{"signature_version":"v1","digest":{"function_hash":"225075812382039480808810230574922679775","length":814},"signature_type":"Function","id":"CVE-2022-28068-950410d6","deprecated":false,"source":"https://github.com/radareorg/radare2/commit/637f4bd1af6752e28e0a9998e954e2e9ce6fa992","target":{"file":"libr/bin/dwarf.c","function":"parse_die"}},{"signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["82808495555599534220823637966100775237","34467357746302134185901643176622134549","308883440703698160702040353526171717712","94257197606966392613591060671082308682","142761272106886067729098819553060707017","203408319474404891445168413634361605148","314118469412744712115824633152849316779","311830455758858365309103188013608426700","61586589386366154080680905726490631896","293018717090580508195179172446439188250","45849837503433876567661834699778748985","7267481447773605661459912914922939839","57643439829971059973548547749747315221","214856441681586453239644785692720112893","273312648645288454808199991506043630724","81704208859240338066760786810120184801"]},"signature_type":"Line","id":"CVE-2022-28068-9c0265b1","deprecated":false,"source":"https://github.com/radareorg/radare2/commit/637f4bd1af6752e28e0a9998e954e2e9ce6fa992","target":{"file":"libr/anal/dwarf_process.c"}},{"signature_version":"v1","digest":{"function_hash":"176274961685585861596881861180921783587","length":203},"signature_type":"Function","id":"CVE-2022-28068-9de60fa3","deprecated":false,"source":"https://github.com/radareorg/radare2/commit/637f4bd1af6752e28e0a9998e954e2e9ce6fa992","target":{"file":"libr/bin/dwarf.c","function":"dwarf_read_offset"}},{"signature_version":"v1","digest":{"function_hash":"223765876627598769785066152449158520670","length":4081},"signature_type":"Function","id":"CVE-2022-28068-d9ab99b6","deprecated":false,"source":"https://github.com/radareorg/radare2/commit/637f4bd1af6752e28e0a9998e954e2e9ce6fa992","target":{"file":"libr/anal/dwarf_process.c","function":"parse_dwarf_location"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}