Is Command Injection affected by CVE-2026-41015?

radare2's rabin2 PDB parser contains a command injection vulnerability (CVE-2026-41015) affecting versions between 6.1.2 and 6.1.3 compiled without SSL support on UNIX systems, allowing local attackers to execute arbitrary commands.

CVE-2026-41015

EUVD-2026-23161 HIGH

2026-04-16 mitre

GHSA-v352-gq4q-9qjf

Command Injection

7.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 05:56 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

patch_available

Apr 16, 2026 - 05:29 EUVD

9236f44a28812fe911814e1b3a7bcf1e4de5d3c2

Analysis Updated

Apr 16, 2026 - 03:45 vuln.today

v2 (cvss_changed)

Re-analysis Queued

Apr 16, 2026 - 03:34 vuln.today

cvss_changed

Analysis Generated

Apr 16, 2026 - 02:51 vuln.today

DescriptionNVD

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.

AnalysisAI

Command injection in radare2's rabin2 PDB parser allows local attackers to execute arbitrary commands when the tool is compiled without SSL support on UNIX systems. The vulnerability (CWE-78) affected a narrow window between commits 01ca2f6 and 9236f44 (post-6.1.2, pre-6.1.3), spanning less than one week in the development timeline. …

RemediationAI

Within 24 hours: Identify all systems running radare2 versions post-6.1.2 and pre-6.1.3 compiled without SSL support. Within 7 days: Upgrade radare2 to version 6.1.3 or later (includes commit 9236f44a28 per GitHub PR #25651). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41015 vulnerability details – vuln.today

Back

CVE-2026-41015

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code