Description
radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.
Published: 2026-04-22
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote OS Command Execution
Action: Immediate Patch
AI Analysis

Impact

radare2 contains a command‑injection flaw in its PDB parser. The vulnerability is triggered when parsing symbol names that include newline characters, which are inserted into an unsanitized string used by the print_gvars() function. When a user runs the idp command against a malicious PDB file, the shell execution operator in radare executes the interpolated string, allowing an attacker to run arbitrary operating‑system commands. The flaw is categorized as OS Command Injection (CWE‑78).

Affected Systems

The issue affects radare2 versions before 6.1.4 distributed by radareorg. Users running any prior release of radare2 are vulnerable. No other vendors or product branches are listed.

Risk and Exploitability

The flaw has a CVSS score of 8.4, indicating a high severity weakness. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the user to open a crafted PDB file and execute the idp command; thus the attack vector is file‑based and typically local. If an attacker can coerce a target into running radare2 on such a file, they can execute arbitrary system commands with the privileges of the radare2 process.

Generated by OpenCVE AI on April 28, 2026 at 07:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade radare2 to version 6.1.4 or later, which contains a fix that sanitizes symbol names in the PDB parser.
  • If an upgrade is not immediately possible, refrain from opening or processing PDB files from untrusted sources, and avoid running the idp command on them.
  • As an alternative, apply the patch introduced in pull request #25731 from the radareorg repository to correct the unsanitized interpolation.

Generated by OpenCVE AI on April 28, 2026 at 07:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Radare
Radare radare2
CPEs cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*
Vendors & Products Radare
Radare radare2

Thu, 23 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 22:15:00 +0000

Type Values Removed Values Added
Description radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.
Title radare2 < 6.1.4 Command Injection via PDB Parser Symbol Names
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Radare Radare2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-23T16:24:25.301Z

Reserved: 2026-04-13T20:29:02.809Z

Link: CVE-2026-40517

cve-icon Vulnrichment

Updated: 2026-04-23T13:51:30.976Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-22T22:16:31.183

Modified: 2026-04-27T17:04:26.420

Link: CVE-2026-40517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:15:09Z

Weaknesses