Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
10DescriptionCVE.org
radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.
AnalysisAI
Command injection in radare2's rabin2 PDB parser allows local attackers to execute arbitrary commands when the tool is compiled without SSL support on UNIX systems. The vulnerability (CWE-78) affected a narrow window between commits 01ca2f6 and 9236f44 (post-6.1.2, pre-6.1.3), spanning less than one week in the development timeline. CVSS 7.4 (HIGH) reflects local attack vector with high complexity but no authentication required. No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists. EPSS data not provided. Fixed in commit 9236f44a28 per GitHub PR #25651.
Technical ContextAI
Radare2 is an open-source reverse engineering framework and command-line toolset. The rabin2 utility performs binary analysis including parsing PDB (Program Database) debug symbol files. The vulnerability stems from CWE-78 (OS Command Injection) in the PDB name parsing logic when processing the -PP flag. On UNIX systems compiled without SSL support (a non-default configuration option), user-controlled PDB filename input is passed unsanitized to system command execution functions. The affected product per CPE is radare2:radare2 across the narrow commit range 01ca2f61 to 9236f44. The project's security model expects users to track the git main branch rather than releases, which limited real-world exposure despite the severity class.
RemediationAI
Update radare2 to commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2 or later (included in release 6.1.3 and all subsequent versions) per GitHub PR https://github.com/radareorg/radare2/pull/25651. Users tracking the git main branch per project recommendations should pull the latest code. For environments unable to immediately update, apply these compensating controls with noted trade-offs: (1) Recompile radare2 with SSL support enabled (default configuration) to disable the vulnerable code path-requires rebuild infrastructure and testing; (2) Restrict rabin2 execution to trusted PDB files only via process sandboxing or file integrity controls-reduces utility for analyzing untrusted binaries; (3) Run rabin2 in isolated containers or VMs when processing untrusted PDB files-adds operational overhead. Note that disabling the -PP flag entirely eliminates PDB parsing functionality, breaking workflows dependent on debug symbol analysis. Verify the fix by checking git log output for commit 9236f44a28 or confirming radare2 version is 6.1.3+.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23161
GHSA-v352-gq4q-9qjf