Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.
AnalysisAI
Command injection in radare2's PDB parser (versions <6.1.4) enables arbitrary command execution when analysts process maliciously crafted PE/PDB files containing newline bytes in section header names. Attack requires local file access and user interaction (opening the file with radare2's idp command). Publicly available exploit exists with EPSS score of 0.07% (22nd percentile), indicating low likelihood of mass exploitation but significant risk for targeted attacks against reverse engineers and malware analysts who routinely examine untrusted binaries.
Technical ContextAI
Radare2 is an open-source reverse engineering framework used for binary analysis, disassembly, and debugging. The vulnerability resides in the PDB (Program Database) parser's print_gvars() function, which processes Microsoft debugging symbols embedded in PE (Portable Executable) files. CWE-78 (OS Command Injection) occurs when the parser fails to sanitize newline characters (0x0A) in PE section header name fields. These names are passed to radare2's command interpreter without proper escaping, allowing embedded r2 commands after the newline to execute in the context of the radare2 process. The idp command, used to load PDB information, triggers the vulnerable code path. This affects all radare2 versions prior to 6.1.4, as confirmed by CPE cpe:2.3:a:radareorg:radare2:*:*:*:*:*:*:*:* with version range <6.1.4.
RemediationAI
Upgrade to radare2 version 6.1.4 or later, which contains the vendor-released patch addressing the command injection vulnerability (commit 5590c87deeb7eb2a106fd7aab9ca88bfeebb7397). Download from the official GitHub releases page at https://github.com/radareorg/radare2/releases/tag/6.1.4 or use distribution package managers that provide version 6.1.4+. Users unable to upgrade immediately should implement strict operational controls: only analyze PE/PDB files from verified trusted sources, execute radare2 in isolated sandboxed environments (containers, VMs with no network access and limited filesystem permissions), and use AppArmor/SELinux profiles to restrict radare2's ability to execute child processes or write to sensitive directories. Consider running radare2 under a dedicated low-privilege user account with no access to SSH keys, credentials, or sensitive data. Review radare2 command history (~/.radare2_history) for unexpected commands if exposure to untrusted files occurred pre-patch. These mitigations reduce but do not eliminate risk, as sandboxing complexity may introduce operational overhead and residual escape risks exist.
An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32 function of libr/arch/p/nds32/nds32-dis.h
An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32_fpu function of libr/arch/p/nds32/nds32-d
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. Rated critical severity (CVSS 9.8), th
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to exe
Out-of-bounds Read in GitHub repository radareorg/radare2 prior to 5.7.0. Rated critical severity (CVSS 9.1), this vulne
Out-of-bounds Read in r_bin_ne_get_entrypoints function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated cri
Out-of-bounds read in `r_bin_ne_get_relocs` function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated critic
Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. Rated high severity (CVSS 8.8), this v
In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and store_versioninfo_gnu_ve
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo
In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository radareorg/r
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22826