CVE-2026-45324 PUBLISHED

Rizin: Double free in cmd_search.c

Assigner: GitHub_M
Reserved: 11.05.2026 Published: 29.05.2026 Updated: 29.05.2026

Rizin is a UNIX-like reverse engineering framework and command-line toolset. There is a double free in librz/core/cmd/cmd_search.c:byte_pattern_search() due wrong pointer ownership declared. This vulnerability is fixed by commit 045fff363b42b8a6dda8ad5229c29ec3267e7dbe.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
CVSS Score: 3.3

Attack Vector	Physical	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	rizinorg
Product	rizin
Versions	Version < 045fff363b42b8a6dda8ad5229c29ec3267e7dbe is affected

References

https://github.com/rizinorg/rizin/security/advisories/GHSA-2377-chx7-xf7c
https://github.com/rizinorg/rizin/commit/045fff363b42b8a6dda8ad5229c29ec3267e7dbe

Problem Types

CWE-415: Double Free CWE