Vulnerability Description
radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Radare | Radare2 | < 6.1.4 |
Related Weaknesses (CWE)
References
- https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zeroExploitThird Party Advisory
- https://github.com/radareorg/radare2/issues/25730ExploitIssue TrackingThird Party Advisory
- https://github.com/radareorg/radare2/pull/25731Issue Tracking
- https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-syThird Party Advisory
FAQ
What is CVE-2026-40517?
CVE-2026-40517 is a vulnerability with a CVSS score of 7.8 (HIGH). radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with n...
How severe is CVE-2026-40517?
CVE-2026-40517 has been rated HIGH with a CVSS base score of 7.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40517?
Check the references section above for vendor advisories and patch information. Affected products include: Radare Radare2.