Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation (via argument injection), which allows attackers to place their code into a plugins directry if the victim uses an attacker-supplied .i64 file.
AnalysisAI
Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 allows local code injection through argument injection in Clang dependency-file generation, enabling attackers to place malicious code into the plugins directory when a victim opens an attacker-supplied .i64 file. The vulnerability requires local access and user interaction (opening a malicious file) but grants high integrity and confidentiality impact. No public exploit code or CISA KEV status has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability stems from insufficient input validation in IDA Pro's handling of Clang compiler arguments (CWE-88: Argument Injection). When processing .i64 database files, IDA Pro passes user-controlled data to the Clang compiler without properly sanitizing it, allowing attackers to inject arbitrary command-line arguments. Specifically, attackers can abuse Clang's dependency-file generation feature (typically controlled via -MD or similar flags) to write arbitrary files to the IDA plugins directory. The attack leverages the .i64 file format, which is IDA Pro's native disassembly database format, as the delivery mechanism for the malicious payload.
RemediationAI
Vendor-released patch: Upgrade to IDA Pro 9.3sp2 or later, which blocks argument injection in Clang dependency-file generation. Users unable to upgrade immediately should avoid opening .i64 database files from untrusted or unknown sources, particularly those obtained from public forums, collaborative research projects, or external contributors without verification. Additionally, restrict write access to the IDA Pro plugins directory using operating system file permissions (e.g., chmod 555 on Linux/macOS or Read-Only ACLs on Windows), though this may prevent legitimate plugin installation and requires administrative action. Users can also disable automatic plugin loading during IDA startup by using the -z flag or disabling plugin features in IDA's configuration, but this reduces functionality. See https://docs.hex-rays.com/release-notes/9_3sp2 for patch details and installation instructions.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28942
GHSA-f88f-hghp-jjr6