{"id":"CVE-2025-63745","details":"A NULL pointer dereference vulnerability was discovered in radare2 6.0.5 and earlier within the info() function of bin_ne.c. A crafted binary input can trigger a segmentation fault, leading to a denial of service when the tool processes malformed data.","modified":"2026-04-12T18:40:04.837798Z","published":"2025-11-14T21:15:45.083Z","references":[{"type":"REPORT","url":"https://github.com/radareorg/radare2/issues/24660"},{"type":"FIX","url":"https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-001-radare2-nullptr-deref-bin_ne.md"},{"type":"FIX","url":"https://github.com/marlinkcyber/advisories/blob/main/advisories/radare2-nullptr-deref-bin_ne.md"},{"type":"FIX","url":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/radareorg/radare2","events":[{"introduced":"0"},{"fixed":"6c5df3f8570d4f0c360681c08241ad8af3b919fd"}]}],"versions":["0.10.0","0.10.1","0.10.2","0.10.3","0.10.4","0.10.4-termux4","0.10.5","0.10.6","0.8.6","0.8.8","0.9","0.9.2","0.9.4","0.9.6","0.9.7","0.9.8","0.9.8-rc1","0.9.8-rc2","0.9.8-rc3","0.9.8-rc4","0.9.9","1.0","1.0.0","1.0.1","1.0.2","1.1.0","1.2.0","1.2.0-git","1.3.0","1.3.0-git","1.4.0","1.5.0","1.6.0","2.0.0","2.0.1","2.1.0","2.2.0","2.4.0","2.5.0","2.6.0","2.6.9","2.7.0","2.8.0","2.9.0","3.0.0","3.0.1","3.1.0","3.1.1","3.1.2","3.1.3","3.2.0","3.2.1","3.3.0","3.4.0","3.4.1","3.5.0","3.5.1","3.6.0","3.7.0","3.7.1","3.8.0","3.9.0","4.0.0","4.1.0","4.1.1","4.2.0","4.2.1","4.3.0","4.3.1","4.4.0","4.5.1","5.0.0","5.1.0","5.1.1","5.2.0","5.2.1","5.3.0","5.3.1","5.4.0","5.4.0-git","5.4.2","5.5.0","5.5.2","5.5.4","5.6.0","5.6.2","5.6.4","5.6.6","5.6.8","5.7.0","5.7.2","5.7.4","5.7.6","5.7.8","5.8.0","5.8.2","5.8.4","5.8.6","5.8.8","5.9.0","5.9.2","5.9.4","5.9.6","5.9.8","6.0.0","6.0.2","6.0.4","Continuous-Windows","continuous","radare2-windows-nightly","release-5.0.0","termux","wip"],"database_specific":{"vanir_signatures_modified":"2026-04-12T18:40:04Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-63745.json","vanir_signatures":[{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"84146432519326662430865519521765612802","length":320},"signature_type":"Function","id":"CVE-2025-63745-142822d0","target":{"function":"info","file":"libr/bin/p/bin_ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"line_hashes":["225645340465502649403007884156092289299","4255312194927405349494608333156212801","221492251747955084037942442839376620031","103094258928229211537405568275140328861","83760469944535761774492245038122925436","191853895264087811774622815729800926909","312202530214876748638244845423168489181"],"threshold":0.9},"signature_type":"Line","id":"CVE-2025-63745-19521af8","target":{"file":"libr/bin/p/bin_ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"316935037769037347446857601865745434761","length":3359},"signature_type":"Function","id":"CVE-2025-63745-3e78a0c5","target":{"function":"r_bin_ne_get_relocs","file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"154503603118799082267592018775264885947","length":718},"signature_type":"Function","id":"CVE-2025-63745-7e03226e","target":{"function":"r_bin_ne_get_imports","file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"327963706153672025240578035634824030205","length":158},"signature_type":"Function","id":"CVE-2025-63745-8ba67da7","target":{"function":"r_bin_ne_new_buf","file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"106112272512346546172539501448725117117","length":1484},"signature_type":"Function","id":"CVE-2025-63745-90732f81","target":{"function":"r_bin_ne_get_symbols","file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"line_hashes":["313238745765593098916398371711611719026","294752229138683901280345080909175703068","287234075078972060332705076000960752614","61687125016204721711556633294709419230","101683830962973421030327422698245415883","324690717746851617852693403780049688727","105725521615344357065672744328767393558","20348808998800939027832124039156497412","103932977767556783085866655802755369923","185766139809623981907481017446196760390","242757875722461813260580452274959845167","183609496058471472087376317578066044812","73016055845034544411042456248936860411","77237793225504425653131744554744729571","194536733704221344171287824016814877527","67709743740579648977685067487009132914","296597705641018818644775265758595290167","250782832250914117964994115570498208215","198181616098348474293048922435700938700","95703940086544948520562337060076593148","310966993569082911011148113652848476034","157179690316466466463529410185139768317","333963544480240934816765111991052663037","324846141160135092639839517546804030699","163056050106799001027687671299049256650","120004223918794892759312146021397652472","210179649740552819592557501328770961163","26745738271488028184227008616724153387","147231730837729489074141156835783693829","299922718602882311868712267424888419354","223223715559888981290723075634535525460","88888210275562397908409414026535506647","40619013878554923376372695977059232965","302319969718740244346448406839420222525","195339780723047122621027496336571289604","100773668494960943283012556228712781332","36611135045926497895111631975642740113","172257755568199023532836346844485230179","239251081859677703346475027249651195491","214074381375023074878840775140979352449","182863579517589287631377850725300908036","283640864699898381263655973841467348630","152527434330706178348542513598339955706","239747875909445878386960023926298532821","220173227346407627996624325320460411564","207946668031197252113135756830201597907","338947544075308010936011219466223709398","16769727617485124330738899851313356341","157652202564519084984989693962773804665","174615053272657349546493130311976732635","86378841372027892579675697054324285844"],"threshold":0.9},"signature_type":"Line","id":"CVE-2025-63745-90d4aaf9","target":{"file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"40753176155915494471092337591911098596","length":1323},"signature_type":"Function","id":"CVE-2025-63745-a9d21032","target":{"function":"__ne_get_resources","file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"289865205616505545813263707385777284189","length":2001},"signature_type":"Function","id":"CVE-2025-63745-ad7f692a","target":{"function":"r_bin_ne_get_entrypoints","file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"210841537725366807856477297836916704170","length":801},"signature_type":"Function","id":"CVE-2025-63745-bf4db74c","target":{"function":"r_bin_ne_get_segments","file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"251142977442218578945101283452518184963","length":1956},"signature_type":"Function","id":"CVE-2025-63745-cb9f975d","target":{"function":"__init","file":"libr/bin/format/ne/ne.c"}},{"source":"https://github.com/radareorg/radare2/commit/6c5df3f8570d4f0c360681c08241ad8af3b919fd","signature_version":"v1","deprecated":false,"digest":{"function_hash":"188912887634688540447694381659026342925","length":304},"signature_type":"Function","id":"CVE-2025-63745-e8f08444","target":{"function":"__get_target_os","file":"libr/bin/format/ne/ne.c"}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"6.0.5"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}