Skip to main content

Radare2 CVE-2026-40499

| EUVDEUVD-2026-22826 HIGH
OS Command Injection (CWE-78)
2026-04-15 VulnCheck
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

8
PoC Detected
May 01, 2026 - 15:20 vuln.today
Public exploit code
Analysis Updated
Apr 16, 2026 - 01:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 01:38 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:37 vuln.today
EUVD ID Assigned
Apr 15, 2026 - 02:45 euvd
EUVD-2026-22826
Analysis Generated
Apr 15, 2026 - 02:45 vuln.today
Patch released
Apr 15, 2026 - 02:45 nvd
Patch available
CVE Published
Apr 15, 2026 - 02:05 nvd
HIGH 8.4

DescriptionCVE.org

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

AnalysisAI

Command injection in radare2's PDB parser (versions <6.1.4) enables arbitrary command execution when analysts process maliciously crafted PE/PDB files containing newline bytes in section header names. Attack requires local file access and user interaction (opening the file with radare2's idp command). Publicly available exploit exists with EPSS score of 0.07% (22nd percentile), indicating low likelihood of mass exploitation but significant risk for targeted attacks against reverse engineers and malware analysts who routinely examine untrusted binaries.

Technical ContextAI

Radare2 is an open-source reverse engineering framework used for binary analysis, disassembly, and debugging. The vulnerability resides in the PDB (Program Database) parser's print_gvars() function, which processes Microsoft debugging symbols embedded in PE (Portable Executable) files. CWE-78 (OS Command Injection) occurs when the parser fails to sanitize newline characters (0x0A) in PE section header name fields. These names are passed to radare2's command interpreter without proper escaping, allowing embedded r2 commands after the newline to execute in the context of the radare2 process. The idp command, used to load PDB information, triggers the vulnerable code path. This affects all radare2 versions prior to 6.1.4, as confirmed by CPE cpe:2.3:a:radareorg:radare2:*:*:*:*:*:*:*:* with version range <6.1.4.

RemediationAI

Upgrade to radare2 version 6.1.4 or later, which contains the vendor-released patch addressing the command injection vulnerability (commit 5590c87deeb7eb2a106fd7aab9ca88bfeebb7397). Download from the official GitHub releases page at https://github.com/radareorg/radare2/releases/tag/6.1.4 or use distribution package managers that provide version 6.1.4+. Users unable to upgrade immediately should implement strict operational controls: only analyze PE/PDB files from verified trusted sources, execute radare2 in isolated sandboxed environments (containers, VMs with no network access and limited filesystem permissions), and use AppArmor/SELinux profiles to restrict radare2's ability to execute child processes or write to sensitive directories. Consider running radare2 under a dedicated low-privilege user account with no access to SSH keys, credentials, or sensitive data. Review radare2 command history (~/.radare2_history) for unexpected commands if exposure to untrusted files occurred pre-patch. These mitigations reduce but do not eliminate risk, as sandboxing complexity may introduce operational overhead and residual escape risks exist.

CVE-2023-46570 CRITICAL POC
9.8 Oct 28

An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32 function of libr/arch/p/nds32/nds32-dis.h

CVE-2023-46569 CRITICAL POC
9.8 Oct 28

An out-of-bounds read in radare2 v.5.8.9 and before exists in the print_insn32_fpu function of libr/arch/p/nds32/nds32-d

CVE-2023-4322 CRITICAL POC
9.8 Aug 14

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. Rated critical severity (CVSS 9.8), th

CVE-2026-6942 CRITICAL POC
9.3 Apr 23

radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to exe

CVE-2022-1899 CRITICAL POC
9.1 May 26

Out-of-bounds Read in GitHub repository radareorg/radare2 prior to 5.7.0. Rated critical severity (CVSS 9.1), this vulne

CVE-2022-1297 CRITICAL POC
9.1 Apr 11

Out-of-bounds Read in r_bin_ne_get_entrypoints function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated cri

CVE-2022-1296 CRITICAL POC
9.1 Apr 11

Out-of-bounds read in `r_bin_ne_get_relocs` function in GitHub repository radareorg/radare2 prior to 5.6.8. Rated critic

CVE-2023-5686 HIGH POC
8.8 Oct 20

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0. Rated high severity (CVSS 8.8), this v

CVE-2017-16357 HIGH POC
7.8 Nov 01

In radare 2.0.1, a memory corruption vulnerability exists in store_versioninfo_gnu_verdef() and store_versioninfo_gnu_ve

CVE-2017-15932 HIGH POC
7.8 Oct 27

In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo

CVE-2017-15931 HIGH POC
7.8 Oct 27

In radare2 2.0.1, an integer exception (negative number leading to an invalid memory access) exists in store_versioninfo

CVE-2023-0302 HIGH POC
7.8 Jan 15

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository radareorg/r

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-40499 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy