Description
radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string.
Published: 2026-04-17
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: Arbitrary shell command execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an attacker to embed shell commands within DWARF formal parameter names in ELF binaries. When radare2 performs analysis through the afsv or afsvj commands, the unsanitized parameter interpolation builds a command string that is executed by the system shell, resulting in arbitrary code execution. The weakness stems from unsanitized user-controlled input in a system command context, corresponding to CWE-78.

Affected Systems

Vendors: radareorg. Product: radare2. All released versions before the patch commit bc5a89033db3ecb5b1f7bf681fc6ba4dcfc14683 are affected, including any radare2 binaries built from source prior to this commit.

Risk and Exploitability

The CVSS score of 8.5 classifies the vulnerability as high severity. EPSS data is not available, so the probability of exploitation is unclear, but the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector requires the attacker to supply or otherwise cause a user or privileged process to run radare2 on a crafted ELF file; a local or privileged attacker would benefit most. The impact is full control of the system executing radare2.

Generated by OpenCVE AI on April 18, 2026 at 09:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update radare2 to a version that includes the commit bc5a89033db3ecb5b1f7bf681fc6ba4dcfc14683.
  • Avoid running afsv or afsvj on untrusted or remotely supplied binaries when using radare2.
  • Run radare2 with the least privilege necessary, or within a sandboxed environment to limit potential command execution.

Generated by OpenCVE AI on April 18, 2026 at 09:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string.
Title radare2 Command Injection via DWARF Parameter Names
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-17T20:25:20.143Z

Reserved: 2026-04-13T20:29:02.810Z

Link: CVE-2026-40527

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-17T21:16:35.373

Modified: 2026-04-17T21:16:35.373

Link: CVE-2026-40527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:15:15Z

Weaknesses