CVE-2024-11858

A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during command parsing, leading to unintended behavior during file processing

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2329102	Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*

History

05 Aug 2025, 17:56

Type	Values Removed	Values Added
References	~~() https://bugzilla.redhat.com/show_bug.cgi?id=2329102 -~~	() https://bugzilla.redhat.com/show_bug.cgi?id=2329102 - Issue Tracking, Third Party Advisory
CPE		cpe:2.3:a:radare:radare2::::::::
First Time		Radare Radare radare2

15 Dec 2024, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-12-15 14:15

Updated : 2025-08-05 17:56

NVD link : CVE-2024-11858

Mitre link : CVE-2024-11858

CVE.ORG link : CVE-2024-11858

JSON object : View

Products Affected

radare

radare2

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2024-11858", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "patrick@puiterwijk.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-12-15T14:15:22.320", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2329102", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "patrick@puiterwijk.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "patrick@puiterwijk.org", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during command parsing, leading to unintended behavior during file processing\u200b"}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Radare2 que contiene una vulnerabilidad de inyecci\u00f3n de comandos causada por una validaci\u00f3n de entrada insuficiente al gestionar archivos de la aplicaci\u00f3n Pebble. Las entradas manipuladas con fines malintencionados pueden inyectar comandos de shell durante el an\u00e1lisis de comandos, lo que genera un comportamiento no deseado durante el procesamiento de archivos."}], "lastModified": "2025-08-05T17:56:17.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DD7ED9A8-17F8-4FD1-8D7F-EBBB728A07CD", "versionEndIncluding": "5.9.8"}], "operator": "OR"}]}], "sourceIdentifier": "patrick@puiterwijk.org"}