Skip to main content

radare2 CVE-2026-40517

| EUVDEUVD-2026-25119 HIGH
OS Command Injection (CWE-78)
2026-04-22 VulnCheck GHSA-3xv9-7r7g-8q6f
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
7.8 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

8
PoC Detected
Apr 27, 2026 - 17:04 vuln.today
Public exploit code
Re-analysis Queued
Apr 24, 2026 - 14:52 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:59 vuln.today
CVSS changed
Apr 22, 2026 - 22:22 NVD
7.8 (HIGH) 8.4 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 22:16 euvd
EUVD-2026-25119
Analysis Generated
Apr 22, 2026 - 22:16 vuln.today
Patch released
Apr 22, 2026 - 22:16 nvd
Patch available
CVE Published
Apr 22, 2026 - 21:44 nvd
HIGH 8.4

DescriptionCVE.org

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.

AnalysisAI

Command injection in radare2 PDB parser (versions before 6.1.4) enables arbitrary OS command execution when users analyze malicious PDB files. Publicly available exploit code exists. Attackers craft PDB files with newline characters in symbol names to inject radare2 commands during flag renaming operations, which then execute OS commands via radare2's shell operator when victims run the 'idp' command. CVSS 8.4 reflects local attack vector requiring user interaction, though EPSS data not available. Patch released in version 6.1.4 with detailed technical disclosure at blog.calif.io showing 0-day discovery process.

Technical ContextAI

radare2 is an open-source reverse engineering framework used for binary analysis, disassembly, and debugging. The vulnerability exists in the PDB (Program Database) parser component, specifically in the print_gvars() function that processes Microsoft PDB debugging symbol files. PDB files contain debugging information including symbol names, which radare2 parses to create internal flags for analysis. The root cause is CWE-78 (OS Command Injection) stemming from unsanitized interpolation of user-controlled data (PDB symbol names) into radare2's flag rename command. When symbol names contain newline characters, they break out of the intended command context and inject arbitrary radare2 commands. Since radare2 supports a shell execution operator for running OS commands, this command injection escalates to arbitrary code execution with the privileges of the radare2 process. The affected CPE cpe:2.3:a:radareorg:radare2 covers all versions prior to 6.1.4 across all platforms where radare2 operates (Linux, Windows, macOS).

RemediationAI

Upgrade to radare2 version 6.1.4 or later, which contains input sanitization fixes in the PDB parser's print_gvars() function as documented in GitHub PR #25731 (https://github.com/radareorg/radare2/pull/25731). Installation instructions available at radare2 official repository. If immediate upgrade is not feasible, implement the following compensating controls with noted limitations: (1) Restrict analysis of PDB files to trusted sources only, though this reduces radare2's utility for malware analysis workflows; (2) Execute radare2 in sandboxed environments (containers, VMs with limited network access) when analyzing untrusted PDB files, which contains but does not prevent exploitation within the sandbox; (3) Disable or restrict radare2's shell execution operator through configuration if workflow permits, though this breaks legitimate automation scripts; (4) Monitor radare2 process execution for suspicious child processes or network connections using EDR tools, providing detection but not prevention. None of these workarounds fully mitigate the vulnerability; upgrading to 6.1.4 is the only complete solution. Review security advisory at blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero for technical details and exploit indicators.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-40517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy