Description
radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.
Published: 2026-04-16
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a command injection flaw in radare2 triggered when an attacker supplies a specially crafted PDB name to the rabin2 -PP command while the software runs on UNIX systems with SSL disabled. Affected releases are those before commit 9236f44, specifically those released between version 6.1.2 and 6.1.3. If an attacker can control the PDB name, the shell is executed with arbitrary commands, potentially granting full control of the host where radare2 is running. This flaw is classified as CWE‑78.

Affected Systems

Users of radare2 before commit 9236f44 that are configured on UNIX without SSL are affected. This includes all versions released between 6.1.2 and 6.1.3 as well as earlier releases that have not applied the patch. Releases after 6.1.3 or those with SSL enabled are not impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 7.4, indicating high severity. Exploitation requires the ability to influence the PDB name in the rabin2 -PP invocation. If radare2 is run by a privileged user or exposed through a network service without SSL, an attacker could achieve remote code execution. EPSS data is unavailable and the issue is not listed in the CISA KEV catalog at this time.

Generated by OpenCVE AI on April 16, 2026 at 09:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade radare2 to a commit newer than 9236f44, preferably a release newer than 6.1.3 from the official repository or packaged distributions.
  • Ensure that radare2 is configured with SSL enabled; if SSL cannot be enabled, run radare2 with the least privilege and restrict its use to trusted users.
  • If an upgrade cannot be performed immediately, disable or remove the rabin2 -PP option for untrusted input or encode and whitelist the PDB names to prevent execution of malicious commands.

Generated by OpenCVE AI on April 16, 2026 at 09:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
Title Command Injection via PDB Name in radare2 When SSL Disabled

Thu, 16 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.
First Time appeared Radare
Radare radare2
Weaknesses CWE-78
CPEs cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*
Vendors & Products Radare
Radare radare2
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Radare Radare2
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-16T13:15:26.207Z

Reserved: 2026-04-16T02:35:46.790Z

Link: CVE-2026-41015

cve-icon Vulnrichment

Updated: 2026-04-16T13:15:10.629Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-16T03:16:27.440

Modified: 2026-04-17T15:38:09.243

Link: CVE-2026-41015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses