Command Injection Vulnerability in radare2 by radareorg
CVE-2026-41015

7.4HIGH

Key Information:

Vendor: Radare
Status: Radare2
Vendor: CVE Published:; 16 April 2026

What is CVE-2026-41015?

The radare2 binary analysis tool, when configured on UNIX systems without SSL, is susceptible to a command injection vulnerability. This issue arises when a specially crafted PDB name is passed to the rabin2 utility with the -PP flag. The vulnerability specifically affects versions prior to 6.1.3, with the vulnerable code present in a small time window between version 6.1.2 and 6.1.3. Users are advised to utilize the latest version from the Git repository to mitigate potential risks.

Affected Version(s)

radare2 01ca2f61fa43bd3f4b732447de31b16039d820c0 < 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2

References

https://github.com/radareorg/radare2/issues/25650

https://github.com/radareorg/radare2/pull/25651

https://github.com/radareorg/radare2/blob/9236f44a28812fe...

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 16, 2026
Vulnerability Reserved
Apr 16, 2026

CVE-2026-41015 Data

JSON

Radare

What is CVE-2026-41015?

Affected Version(s)

References

CVSS V3.1

Timeline