Rizin 0.9.0 Heap-Use-After-Free DoS Vulnerability in ESP32 Firmware Parser

A critical heap-use-after-free vulnerability has been identified in the Rizin reverse engineering framework, exposing users to denial-of-service (DoS) attacks through a crafted binary file. The flaw resides within the library's LE (Linear Executable) format parser, specifically in the `le_load_fixup_record()` function in `librz/bin/format/le/le.c`. Attackers can trigger the vulnerability by feeding Rizin a malformed ESP32 firmware image, causing the application to crash.

The bug was confirmed on Rizin version 0.9.0 (commit 7ebfa58fe2f7c189b9ab1491ccce4bebaeeda2a8) running on a Kali Linux x86_64 system, and is also present in the earlier 0.8.1 release. The issue is triggered during the parsing of a specific, malformed ESP Image (ESP32) firmware file in raw binary format. The vulnerability is a classic double-free condition, where the same memory region is freed twice, corrupting the heap's internal state and leading to an immediate crash. This renders the tool unusable for analyzing the malicious file and could be weaponized to disrupt reverse engineering workflows.

The discovery places immediate pressure on security researchers and firmware analysts who rely on Rizin for dissecting embedded device binaries, particularly in the IoT and hardware security sectors. While the current proof-of-concept demonstrates a crash, such memory corruption flaws often serve as a potential gateway for more severe exploits, including remote code execution. The Rizin development team now faces scrutiny to patch this parser flaw before it can be leveraged in targeted attacks against security professionals.