CVE-2026-40499 — OS Command Injection in Radare2

CWE-78 — OS Command Injection6 documents4 sources

Severity

8.4HIGHNVD

EPSS

0.1%

top 68.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Radareorg Radare2

Timeline

PublishedApr 15

Latest updateApr 16

Description

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages1 packages

▶CVEListV5radareorg/radare2< 6.1.4

🔴Vulnerability Details

VulDB

radareorg radare2 up to 6.1.3 PDB Parser print_gvars os command injection (EUVD-2026-22826)↗2026-04-16

▶

GHSA

GHSA-7rhq-9q45-5gm4: radare2 prior to version 6↗2026-04-16

▶

💬Community

Bugzilla

CVE-2026-40499 radare2: radare2: Arbitrary command execution via command injection in PDB parser [epel-all]↗2026-04-15

▶

Bugzilla

CVE-2026-40499 radare2: radare2: Arbitrary command execution via command injection in PDB parser [fedora-all]↗2026-04-15

▶

Bugzilla

CVE-2026-40499 radare2: radare2: Arbitrary command execution via command injection in PDB parser↗2026-04-15

▶