Command Injection Vulnerability in radare2 PDB Parser
CVE-2026-40499

8.4HIGH

Key Information:

Vendor: Radareorg
Status: Radare2
Vendor: CVE Published:; 15 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-40499?

radare2, prior to version 6.1.4, is susceptible to a command injection vulnerability located in the PDB parser's print_gvars() function. This vulnerability allows attackers to execute arbitrary commands by inserting a newline byte into the PE section header name field of a maliciously crafted PDB file. An attacker could exploit this flaw by embedding specially crafted section names, which would execute unauthorized r2 commands during the processing of the file using the idp command.

Affected Version(s)

radare2 0 < 6.1.4

radare2 5590c87deeb7eb2a106fd7aab9ca88bfeebb7397

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-40499 - Proof of Concept

References

https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero

technical-descriptionexploit

https://github.com/radareorg/radare2/pull/25731

issue-tracking

https://github.com/radareorg/radare2/issues/25752

issue-tracking

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 15, 2026
👾
Exploit known to exist
Apr 15, 2026
Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

junrong of Calif

CVE-2026-40499 Data

JSON

Radareorg

Badges

What is CVE-2026-40499?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit