Skip to main content

Suse CVE-2026-41015

| EUVDEUVD-2026-23161 HIGH
OS Command Injection (CWE-78)
2026-04-16 mitre GHSA-v352-gq4q-9qjf
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Patch released
Apr 17, 2026 - 15:38 nvd
Patch available
Analysis Updated
Apr 16, 2026 - 05:56 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
9236f44a28812fe911814e1b3a7bcf1e4de5d3c2
Analysis Updated
Apr 16, 2026 - 03:45 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 16, 2026 - 03:34 vuln.today
cvss_changed
Analysis Generated
Apr 16, 2026 - 02:51 vuln.today
EUVD ID Assigned
Apr 16, 2026 - 02:45 euvd
EUVD-2026-23161
Analysis Generated
Apr 16, 2026 - 02:45 vuln.today
CVE Published
Apr 16, 2026 - 02:35 nvd
HIGH 7.4

DescriptionCVE.org

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.

AnalysisAI

Command injection in radare2's rabin2 PDB parser allows local attackers to execute arbitrary commands when the tool is compiled without SSL support on UNIX systems. The vulnerability (CWE-78) affected a narrow window between commits 01ca2f6 and 9236f44 (post-6.1.2, pre-6.1.3), spanning less than one week in the development timeline. CVSS 7.4 (HIGH) reflects local attack vector with high complexity but no authentication required. No active exploitation confirmed (not in CISA KEV), though publicly available exploit code exists. EPSS data not provided. Fixed in commit 9236f44a28 per GitHub PR #25651.

Technical ContextAI

Radare2 is an open-source reverse engineering framework and command-line toolset. The rabin2 utility performs binary analysis including parsing PDB (Program Database) debug symbol files. The vulnerability stems from CWE-78 (OS Command Injection) in the PDB name parsing logic when processing the -PP flag. On UNIX systems compiled without SSL support (a non-default configuration option), user-controlled PDB filename input is passed unsanitized to system command execution functions. The affected product per CPE is radare2:radare2 across the narrow commit range 01ca2f61 to 9236f44. The project's security model expects users to track the git main branch rather than releases, which limited real-world exposure despite the severity class.

RemediationAI

Update radare2 to commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2 or later (included in release 6.1.3 and all subsequent versions) per GitHub PR https://github.com/radareorg/radare2/pull/25651. Users tracking the git main branch per project recommendations should pull the latest code. For environments unable to immediately update, apply these compensating controls with noted trade-offs: (1) Recompile radare2 with SSL support enabled (default configuration) to disable the vulnerable code path-requires rebuild infrastructure and testing; (2) Restrict rabin2 execution to trusted PDB files only via process sandboxing or file integrity controls-reduces utility for analyzing untrusted binaries; (3) Run rabin2 in isolated containers or VMs when processing untrusted PDB files-adds operational overhead. Note that disabling the -PP flag entirely eliminates PDB parsing functionality, breaking workflows dependent on debug symbol analysis. Verify the fix by checking git log output for commit 9236f44a28 or confirming radare2 version is 6.1.3+.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-41015 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy