CVE-2025-5648 | Radare2 5.9.9 radiff2 /libr/cons/pal.c r_cons_pal_init -T memory corruption (EUVD-2025-16977 / Nessus ID 275939)
A vulnerability classified as problematic has been found in Radare2 5.9.9. Affected by this vulnerability is the function r_cons_pal_init in the library /libr/cons/pal.c of the component radiff2. The manipulation of the argument -T leads to memory corruption.
This vulnerability is referenced as CVE-2025-5648. The attack can only be performed from a local environment. Furthermore, an exploit is available.
The real existence of this vulnerability is still doubted at the moment.
It is recommended to apply a patch to fix this issue.
The documentation explains that the parameter -T is experimental and "crashy". Further analysis has shown "the race is not a real problem unless you use asan". A new warning has been added.