Description
radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.
Published: 2026-04-15
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Command Execution
Action: Update
AI Analysis

Impact

radare2 versions older than 6.1.4 contain a command injection flaw in the PDB parser’s print_gvars() function. An attacker can embed a newline byte in a PE section header name field and craft a malicious PDB file so that r2 commands are injected and executed when the idp command processes the file. This weakness is an OS command injection (CWE‑78) that allows the execution of arbitrary commands in the environment where radare2 runs.

Affected Systems

The vulnerability affects radare2 from radareorg, all releases prior to 6.1.4. Users running 6.0.x, 6.1.0, 6.1.1, 6.1.2 or 6.1.3 are impacted. Version 6.1.4 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.4 classifies this as a high severity vulnerability. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be local: an attacker must be able to supply a malicious PDB file to radare2. If the tool processes user‑controlled PDB data, the attacker can execute arbitrary r2 commands, potentially escalating to system‑level commands. The absence of a publicly known exploitable pattern suggests the exploitability is moderate, but the high severity and ability to impact the user’s environment warrant prompt remediation.

Generated by OpenCVE AI on April 15, 2026 at 03:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade radare2 to version 6.1.4 or later
  • Avoid loading untrusted PDB files with the idp command until a patch is applied
  • Monitor system logs for unexpected command execution or unauthorized PDB file usage

Generated by OpenCVE AI on April 15, 2026 at 03:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 20 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
References

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Radare
Radare radare2
Vendors & Products Radare
Radare radare2

Wed, 15 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.
Title radare2 < 6.1.4 Command Injection via PDB Parser print_gvars()
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Radare Radare2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T15:51:22.636Z

Reserved: 2026-04-13T20:29:02.808Z

Link: CVE-2026-40499

cve-icon Vulnrichment

Updated: 2026-04-16T14:06:50.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T04:17:48.330

Modified: 2026-05-01T15:20:01.863

Link: CVE-2026-40499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses