Description
radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.
Published: 2026-04-16
Score: 7.4 High
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in radare2 triggered when an attacker supplies a specially crafted PDB name to the rabin2 -PP command while the software runs on UNIX systems with SSL disabled. Affected releases are those before commit 9236f44, specifically those released between version 6.1.2 and 6.1.3. If an attacker can control the PDB name, the shell is executed with arbitrary commands, potentially granting full control of the host where radare2 is running. This flaw is classified as CWE‑78.

Affected Systems

Users of radare2 before commit 9236f44 that are configured on UNIX without SSL are affected. This includes all versions released between 6.1.2 and 6.1.3; it is inferred that earlier releases that have not applied the patch may also be affected. Releases after 6.1.3 or those with SSL enabled are not impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 7.4, indicating high severity. Exploitation requires the ability to influence the PDB name in the rabin2 -PP invocation. If radare2 is run by a privileged user or if it is exposed through a network service without SSL—a scenario inferred from the description—an attacker could achieve remote code execution. EPSS score is 1% and the issue is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on June 18, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade radare2 to a commit newer than 9236f44, preferably a release newer than 6.1.3 from the official repository or packaged distributions.
  • Ensure that radare2 is configured with SSL enabled; if SSL cannot be enabled, run radare2 with the least privilege and restrict its use to trusted users.
  • If an upgrade cannot be performed immediately, disable or remove the rabin2 -PP option for untrusted input or encode and whitelist the PDB names to prevent execution of malicious commands.

Generated by OpenCVE AI on June 18, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Command Injection via PDB Name in radare2 on UNIX without SSL

Wed, 17 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Title Command Injection via PDB Name in radare2 on UNIX without SSL

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Title Command Injection via PDB Name in radare2 When SSL Disabled

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Title Command Injection via PDB Name in radare2 When SSL Disabled

Thu, 16 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.
First Time appeared Radare
Radare radare2
Weaknesses CWE-78
CPEs cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*
Vendors & Products Radare
Radare radare2
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Radare Radare2
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T13:15:26.207Z

Reserved: 2026-04-16T02:35:46.790Z

Link: CVE-2026-41015

cve-icon Vulnrichment

Updated: 2026-04-16T13:15:10.629Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T03:16:27.440

Modified: 2026-06-17T10:46:03.317

Link: CVE-2026-41015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:30:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')