CVE-2026-22780

4.4 MEDIUM

📋 TL;DR

A heap overflow vulnerability in Rizin allows attackers to execute arbitrary code or cause denial of service by tricking users into analyzing malicious Mach-O files with specially crafted dyld chained segment entries. This affects all users of Rizin reverse engineering tools who analyze untrusted Mach-O files. The vulnerability is in the Mach-O file parser component.

💻 Affected Systems

Products:
  • Rizin reverse engineering framework
Versions: All versions prior to 0.8.2
Operating Systems: Linux, macOS, BSD, Other UNIX-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who analyze Mach-O files (macOS/iOS binaries). Other file formats are not affected.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Rizin user, potentially leading to full system compromise if Rizin runs with elevated privileges.

🟠

Likely Case

Application crash (denial of service) when parsing malicious files, potentially corrupting analysis sessions.

🟢

If Mitigated

Limited impact if Rizin runs in sandboxed environments or with minimal privileges, restricting damage to the current session.

🌐 Internet-Facing: LOW - Rizin is typically used offline for reverse engineering, not as an internet-facing service.
🏢 Internal Only: MEDIUM - Internal security researchers analyzing untrusted binaries could be targeted through social engineering or supply chain attacks.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction to open a malicious file. The vulnerability is in file parsing logic, making exploitation dependent on specific heap layout conditions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.2

Vendor Advisory: https://github.com/rizinorg/rizin/releases/tag/v0.8.2

Restart Required: No

Instructions:

1. Backup current Rizin configuration if needed. 2. Update Rizin using your package manager or compile from source. 3. For package managers: 'sudo apt update && sudo apt upgrade rizin' (Debian/Ubuntu) or equivalent. 4. For source compilation: git clone https://github.com/rizinorg/rizin, checkout v0.8.2, follow build instructions.

🔧 Temporary Workarounds

Avoid untrusted Mach-O files

all

Do not analyze Mach-O files from untrusted sources until patched.

Run Rizin in sandbox

linux

Use containerization or sandboxing to limit potential damage from exploitation.

docker run --rm -v $(pwd):/work rizin/rizin:latest

🧯 If You Can't Patch

  • Restrict Rizin to analyzing only trusted, verified Mach-O files from known sources
  • Run Rizin with minimal privileges (non-root user, restricted capabilities)

🔍 How to Verify

Check if Vulnerable:

Check Rizin version: 'rizin --version' or 'rz-bin --version'. If version is below 0.8.2 and you analyze Mach-O files, you are vulnerable.

Check Version:

rizin --version

Verify Fix Applied:

After updating, verify version is 0.8.2 or higher: 'rizin --version | grep -q "0.8.2\|0.9\|1." && echo "Patched"'

📡 Detection & Monitoring

Log Indicators:

  • Segmentation faults or abnormal termination when analyzing Mach-O files
  • Unexpected memory allocation patterns in system logs

Network Indicators:

  • Not applicable - local file parsing vulnerability

SIEM Query:

Process monitoring for rizin/rz-bin crashes when handling Mach-O files, or file monitoring for suspicious Mach-O file access

📊 Metadata

CVE ID: CVE-2026-22780
CVSS v3 Score: 4.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CWE: CWE-770
Published: February 2, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This