Skip to main content

Hex-Rays IDA Pro CVE-2026-45181

| EUVDEUVD-2026-28942 MEDIUM
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-09 cve@mitre.org GHSA-f88f-hghp-jjr6
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
May 10, 2026 - 02:16 EUVD
Analysis Generated
May 09, 2026 - 22:30 vuln.today
CVE Published
May 09, 2026 - 22:16 nvd
MEDIUM 6.5

DescriptionCVE.org

Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 does not block Clang dependency-file generation (via argument injection), which allows attackers to place their code into a plugins directry if the victim uses an attacker-supplied .i64 file.

AnalysisAI

Hex-Rays IDA Pro 9.2 and 9.3 before 9.3sp2 allows local code injection through argument injection in Clang dependency-file generation, enabling attackers to place malicious code into the plugins directory when a victim opens an attacker-supplied .i64 file. The vulnerability requires local access and user interaction (opening a malicious file) but grants high integrity and confidentiality impact. No public exploit code or CISA KEV status has been confirmed at the time of analysis.

Technical ContextAI

The vulnerability stems from insufficient input validation in IDA Pro's handling of Clang compiler arguments (CWE-88: Argument Injection). When processing .i64 database files, IDA Pro passes user-controlled data to the Clang compiler without properly sanitizing it, allowing attackers to inject arbitrary command-line arguments. Specifically, attackers can abuse Clang's dependency-file generation feature (typically controlled via -MD or similar flags) to write arbitrary files to the IDA plugins directory. The attack leverages the .i64 file format, which is IDA Pro's native disassembly database format, as the delivery mechanism for the malicious payload.

RemediationAI

Vendor-released patch: Upgrade to IDA Pro 9.3sp2 or later, which blocks argument injection in Clang dependency-file generation. Users unable to upgrade immediately should avoid opening .i64 database files from untrusted or unknown sources, particularly those obtained from public forums, collaborative research projects, or external contributors without verification. Additionally, restrict write access to the IDA Pro plugins directory using operating system file permissions (e.g., chmod 555 on Linux/macOS or Read-Only ACLs on Windows), though this may prevent legitimate plugin installation and requires administrative action. Users can also disable automatic plugin loading during IDA startup by using the -z flag or disabling plugin features in IDA's configuration, but this reduces functionality. See https://docs.hex-rays.com/release-notes/9_3sp2 for patch details and installation instructions.

Share

CVE-2026-45181 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy