The dalvik_disassemble function in libr/asm/p/asm_dalvik.c in radare2 1.2.1 allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted DEX file.
https://github.com/radare/radare2/issues/6885
https://github.com/radare/radare2/commit/f41e941341e44aa86edd4483c4487ec09a074257