Hi,

The following vulnerabilities were published for radare2.

CVE-2025-5646[0]:
| A vulnerability has been found in Radare2 5.9.9 and classified as
| problematic. This vulnerability affects the function
| r_cons_rainbow_free in the library /libr/cons/pal.c of the component
| radiff2. The manipulation of the argument -T leads to memory
| corruption. It is possible to launch the attack on the local host.
| The complexity of an attack is rather high. The exploitation appears
| to be difficult. The exploit has been disclosed to the public and
| may be used. The real existence of this vulnerability is still
| doubted at the moment. The patch is identified as
| 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply
| a patch to fix this issue. The documentation explains that the
| parameter -T is experimental and "crashy". Further analysis has
| shown "the race is not a real problem unless you use asan". A new
| warning has been added.

https://github.com/radareorg/radare2/issues/24235
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798


CVE-2025-5645[1]:
| A vulnerability, which was classified as problematic, was found in
| Radare2 5.9.9. This affects the function r_cons_pal_init in the
| library /libr/cons/pal.c of the component radiff2. The manipulation
| of the argument -T leads to memory corruption. Attacking locally is
| a requirement. The complexity of an attack is rather high. The
| exploitability is told to be difficult. The exploit has been
| disclosed to the public and may be used. The real existence of this
| vulnerability is still doubted at the moment. The identifier of the
| patch is 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended
| to apply a patch to fix this issue. The documentation explains that
| the parameter -T is experimental and "crashy". Further analysis has
| shown "the race is not a real problem unless you use asan". A new
| warning has been added.

https://github.com/radareorg/radare2/issues/24234
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798


CVE-2025-5644[2]:
| A vulnerability, which was classified as problematic, has been found
| in Radare2 5.9.9. Affected by this issue is the function
| r_cons_flush in the library /libr/cons/cons.c of the component
| radiff2. The manipulation of the argument -T leads to use after
| free. Local access is required to approach this attack. The
| complexity of an attack is rather high. The exploitation is known to
| be difficult. The exploit has been disclosed to the public and may
| be used. The real existence of this vulnerability is still doubted
| at the moment. The name of the patch is
| 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply
| a patch to fix this issue. The documentation explains that the
| parameter -T is experimental and "crashy". Further analysis has
| shown "the race is not a real problem unless you use asan". A new
| warning has been added.

https://github.com/radareorg/radare2/issues/24233
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798


CVE-2025-5643[3]:
| A vulnerability classified as problematic was found in Radare2
| 5.9.9. Affected by this vulnerability is the function
| cons_stack_load in the library /libr/cons/cons.c of the component
| radiff2. The manipulation of the argument -T leads to memory
| corruption. An attack has to be approached locally. The complexity
| of an attack is rather high. The exploitation appears to be
| difficult. The exploit has been disclosed to the public and may be
| used. The real existence of this vulnerability is still doubted at
| the moment. The patch is named
| 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply
| a patch to fix this issue. The documentation explains that the
| parameter -T is experimental and "crashy". Further analysis has
| shown "the race is not a real problem unless you use asan". A new
| warning has been added.

https://github.com/radareorg/radare2/issues/24232
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798


CVE-2025-5642[4]:
| A vulnerability classified as problematic has been found in Radare2
| 5.9.9. Affected is the function r_cons_pal_init in the library
| /libr/cons/pal.c of the component radiff2. The manipulation leads to
| memory corruption. The attack needs to be approached locally. The
| complexity of an attack is rather high. The exploitability is told
| to be difficult. The exploit has been disclosed to the public and
| may be used. The real existence of this vulnerability is still
| doubted at the moment. The patch is identified as
| 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply
| a patch to fix this issue. The documentation explains that the
| parameter -T is experimental and "crashy". Further analysis has
| shown "the race is not a real problem unless you use asan". A new
| warning has been added.

https://github.com/radareorg/radare2/issues/24231
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798


CVE-2025-5641[5]:
| A vulnerability was found in Radare2 5.9.9. It has been rated as
| problematic. This issue affects the function r_cons_is_breaked in
| the library /libr/cons/cons.c of the component radiff2. The
| manipulation of the argument -T leads to memory corruption. It is
| possible to launch the attack on the local host. The complexity of
| an attack is rather high. The exploitation is known to be difficult.
| The exploit has been disclosed to the public and may be used. The
| real existence of this vulnerability is still doubted at the moment.
| The identifier of the patch is
| 5705d99cc1f23f36f9a84aab26d1724010b97798. It is recommended to apply
| a patch to fix this issue. The documentation explains that the
| parameter -T is experimental and "crashy". Further analysis has
| shown "the race is not a real problem unless you use asan". An
| additional warning regarding threading support has been added.

https://github.com/radareorg/radare2/issues/24230
https://github.com/radareorg/radare2/commit/5705d99cc1f23f36f9a84aab26d1724010b97798


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5646
https://www.cve.org/CVERecord?id=CVE-2025-5646
[1] https://security-tracker.debian.org/tracker/CVE-2025-5645
https://www.cve.org/CVERecord?id=CVE-2025-5645
[2] https://security-tracker.debian.org/tracker/CVE-2025-5644
https://www.cve.org/CVERecord?id=CVE-2025-5644
[3] https://security-tracker.debian.org/tracker/CVE-2025-5643
https://www.cve.org/CVERecord?id=CVE-2025-5643
[4] https://security-tracker.debian.org/tracker/CVE-2025-5642
https://www.cve.org/CVERecord?id=CVE-2025-5642
[5] https://security-tracker.debian.org/tracker/CVE-2025-5641
https://www.cve.org/CVERecord?id=CVE-2025-5641

Please adjust the affected versions in the BTS as needed.

hi,
CVE-2025-5647 and CVE-2025-5648. Covering them here as well.

Regards,
Salvatore