Command Injection in radare2 by radareorg
CVE-2026-40527

8.5HIGH

Key Information:

Vendor: Radareorg
Status: Radare2
Vendor: CVE Published:; 17 April 2026

What is CVE-2026-40527?

radare2 versions prior to a specific commit contain a command injection vulnerability in the afsv/afsvj command execution path. Attackers can exploit this weakness by crafting ELF binaries that contain malicious r2 command sequences disguised as DWARF DW_TAG_formal_parameter names. When the radare2 tool analyzes such binaries using the 'aaa' command followed by 'afsvj', it inadvertently executes these embedded shell commands. This vulnerability stems from a lack of sanitization, allowing arbitrary shell command execution through insufficiently validated parameter interpolation in the pfq command string.

Affected Version(s)

radare2 0

References

https://github.com/radareorg/radare2/pull/25821

issue-tracking

https://github.com/radareorg/radare2/commit/bc5a89033db3e...

patch

https://www.vulncheck.com/advisories/radare2-command-inje...

third-party-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 17, 2026
Vulnerability Reserved
Apr 13, 2026

Credit

Shota Zaizen

CVE-2026-40527 Data

JSON

Radareorg

What is CVE-2026-40527?

Affected Version(s)

References

CVSS V4

Timeline

Credit