Home

Description

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

PUBLISHED Reserved 2026-04-13 | Published 2026-04-15 | Updated 2026-04-20 | Assigner VulnCheck




HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 6.1.4
affected

5590c87deeb7eb2a106fd7aab9ca88bfeebb7397 (git)
unaffected

Credits

Hung Nguyen (mov) of Calif.io finder

References

github.com/radareorg/radare2/issues/25752 issue-tracking

github.com/...ommit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397 patch

github.com/radareorg/radare2/releases/tag/6.1.4 release-notes

www.vulncheck.com/...nd-injection-via-pdb-parser-print-gvars third-party-advisory

cve.org (CVE-2026-40499)

nvd.nist.gov (CVE-2026-40499)

Download JSON