top of page
perceptive_background_267k.jpg

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands…

Published:

21 april 2026 om 22:00:00

Alert date:

22 april 2026 om 23:01:43

Source:

nvd.nist.gov

Click to open the original link from this advisory

Security Tools, Zero-Day Vulnerabilities

radare2 versions prior to 6.1.4 contain a critical command injection vulnerability in the PDB parser's print_gvars() function. Attackers can craft malicious PDB files with newline characters in symbol names to inject arbitrary radare2 commands. The vulnerability occurs through unsanitized symbol name interpolation in the flag rename command. When users run the idp command against a malicious PDB file, the injected commands execute, potentially leading to arbitrary OS command execution through radare2's shell execution operator. This represents a significant security risk for users analyzing untrusted PDB files.

Technical details

Mitigation steps:

Affected products:

radare2

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-40517
https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero
https://github.com/radareorg/radare2/issues/25730
https://github.com/radareorg/radare2/pull/25731
https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-symbol-names

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page