Home

Description

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.

PUBLISHED Reserved 2026-04-13 | Published 2026-04-22 | Updated 2026-04-23 | Assigner VulnCheck




HIGH: 8.4CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status
unaffected

Any version before 6.1.4
affected

Credits

Jun Rong of Calif.io finder

References

blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero technical-description exploit

github.com/radareorg/radare2/issues/25730 issue-tracking

github.com/radareorg/radare2/pull/25731 patch

www.vulncheck.com/...d-injection-via-pdb-parser-symbol-names third-party-advisory

cve.org (CVE-2026-40517)

nvd.nist.gov (CVE-2026-40517)

Download JSON