CVE-2026-40499

EUVD-2026-22826
radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
radareradare2
𝑥
≤ 6.1.4
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
radare2
sid
vulnerable
Common Weakness Enumeration
References
https://github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397
https://github.com/radareorg/radare2/issues/25752
https://github.com/radareorg/radare2/releases/tag/6.1.4
https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-print-gvars