CVEFinder.io

CVE-2026-40517

⚠️ high
🔍 Scan for this CVE
Summary

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare

Description

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.

CVSS Score
7.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-04-22
First Seen: 2026-04-27
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.6% of all 329,456 vulnerabilities in our database.

#100,230
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: Apr 23, 2026
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Jun Rong of Calif.io
SSVC data provided by CISA
Last Modified 2026-04-27
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS Vector 4.0 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)
CWE-78

📦 Affected Products 1

Vendor Product Status Affected Versions
radare radare2 Affected
< 6.1.4

🔗 References 4

https://blog.calif.io/p/mad-bugs-discovering-a-0-day...
Exploit Third Party Advisory
https://github.com/radareorg/radare2/issues/25730
Exploit Issue Tracking Third Party Advisory
https://github.com/radareorg/radare2/pull/25731
Issue Tracking
https://www.vulncheck.com/advisories/radare2-command...
Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-8695 ⚠️ high 7.5 0.4 radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_threads_list() function that allows remote attackers t... 2026-05-15
CVE-2026-8696 ⚠️ high 7.5 0.4 radare2 6.1.5 contains a use-after-free vulnerability in the gdbr_pids_list() function within the GDB client core that a... 2026-05-15
CVE-2026-6940 ⚠️ high 7.1 0.0 radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recurs... 2026-04-23
CVE-2026-6941 🔶 medium 6.6 0.0 radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to re... 2026-04-23
CVE-2026-40527 ⚠️ high 7.8 0.1 radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ... 2026-04-17
CVE-2026-40499 ⚠️ high 7.8 0.0 radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function tha... 2026-04-15
These CVEs affect the same products