CVE-2026-40499

EUVD-2026-22826
radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
radare2
sid
vulnerable
Common Weakness Enumeration
References
https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero
https://github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397
https://github.com/radareorg/radare2/issues/25752
https://github.com/radareorg/radare2/pull/25731
https://github.com/radareorg/radare2/releases/tag/6.1.4
https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-print-gvars