Command Injection in Radare2 PDB Parser Affecting Radare2 Software
CVE-2026-40517

8.4HIGH

Key Information:

Vendor: Radareorg
Status: Radare2
Vendor: CVE Published:; 22 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-40517?

Radare2 versions prior to 6.1.4 are susceptible to a command injection flaw within the PDB parser’s print_gvars() function. This vulnerability arises when an attacker crafts a malicious PDB file that incorporates newline characters within the symbol names. Through this manipulation, arbitrary commands can be injected into the radare2 environment via unsanitized symbol name interpolation. When a user executes the idp command against a compromised PDB file, the embedded commands are executed, potentially allowing the attacker to execute arbitrary operating system commands through radare2’s shell execution capabilities.

Affected Version(s)

radare2 0 < 6.1.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-40517 - Proof of Concept

References

https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero

technical-descriptionexploit

https://github.com/radareorg/radare2/issues/25730

issue-tracking

https://github.com/radareorg/radare2/pull/25731

patch

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 22, 2026
👾
Exploit known to exist
Apr 22, 2026
Vulnerability published
Apr 22, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Jun Rong of Calif.io

CVE-2026-40517 Data

JSON

Radareorg

Badges

What is CVE-2026-40517?

Affected Version(s)

Exploit Proof of Concept (PoC)

References

CVSS V4

Timeline

Credit