Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.
AnalysisAI
Command injection in radare2 PDB parser (versions before 6.1.4) enables arbitrary OS command execution when users analyze malicious PDB files. Publicly available exploit code exists. Attackers craft PDB files with newline characters in symbol names to inject radare2 commands during flag renaming operations, which then execute OS commands via radare2's shell operator when victims run the 'idp' command. CVSS 8.4 reflects local attack vector requiring user interaction, though EPSS data not available. Patch released in version 6.1.4 with detailed technical disclosure at blog.calif.io showing 0-day discovery process.
Technical ContextAI
radare2 is an open-source reverse engineering framework used for binary analysis, disassembly, and debugging. The vulnerability exists in the PDB (Program Database) parser component, specifically in the print_gvars() function that processes Microsoft PDB debugging symbol files. PDB files contain debugging information including symbol names, which radare2 parses to create internal flags for analysis. The root cause is CWE-78 (OS Command Injection) stemming from unsanitized interpolation of user-controlled data (PDB symbol names) into radare2's flag rename command. When symbol names contain newline characters, they break out of the intended command context and inject arbitrary radare2 commands. Since radare2 supports a shell execution operator for running OS commands, this command injection escalates to arbitrary code execution with the privileges of the radare2 process. The affected CPE cpe:2.3:a:radareorg:radare2 covers all versions prior to 6.1.4 across all platforms where radare2 operates (Linux, Windows, macOS).
RemediationAI
Upgrade to radare2 version 6.1.4 or later, which contains input sanitization fixes in the PDB parser's print_gvars() function as documented in GitHub PR #25731 (https://github.com/radareorg/radare2/pull/25731). Installation instructions available at radare2 official repository. If immediate upgrade is not feasible, implement the following compensating controls with noted limitations: (1) Restrict analysis of PDB files to trusted sources only, though this reduces radare2's utility for malware analysis workflows; (2) Execute radare2 in sandboxed environments (containers, VMs with limited network access) when analyzing untrusted PDB files, which contains but does not prevent exploitation within the sandbox; (3) Disable or restrict radare2's shell execution operator through configuration if workflow permits, though this breaks legitimate automation scripts; (4) Monitor radare2 process execution for suspicious child processes or network connections using EDR tools, providing detection but not prevention. None of these workarounds fully mitigate the vulnerability; upgrading to 6.1.4 is the only complete solution. Review security advisory at blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero for technical details and exploit indicators.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25119
GHSA-3xv9-7r7g-8q6f