Command Injection Vulnerability in radare2 PDB Parser
CVE-2026-40499

8.4HIGH

Key Information:

Vendor

Radareorg

Status
Vendor
CVE Published:
15 April 2026

Badges

๐Ÿ‘พ Exploit Exists

What is CVE-2026-40499?

radare2, prior to version 6.1.4, is susceptible to a command injection vulnerability located in the PDB parser's print_gvars() function. This vulnerability allows attackers to execute arbitrary commands by inserting a newline byte into the PE section header name field of a maliciously crafted PDB file. An attacker could exploit this flaw by embedding specially crafted section names, which would execute unauthorized r2 commands during the processing of the file using the idp command.

Affected Version(s)

radare2 0 < 6.1.4

radare2 5590c87deeb7eb2a106fd7aab9ca88bfeebb7397

References

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

junrong of Calif
.