Radare2 Command Injection: Malicious PDB Files Execute OS Commands
The National Vulnerability Database has disclosed CVE-2026-40517, a critical command injection vulnerability in radare2 versions prior to 6.1.4. This flaw resides within the PDB parser’s print_gvars() function. Attackers can exploit this by crafting a malicious PDB file that includes newline characters in symbol names.
This manipulation allows for arbitrary radare2 command injection via unsanitized symbol name interpolation in the flag rename command. When a user subsequently runs the idp command against the specially crafted PDB file, these injected commands are executed. Critically, this can escalate to arbitrary operating system command execution through radare2’s built-in shell execution operator. The National Vulnerability Database assigns this a CVSS score of 7.8 (High).
For defenders, this is a stark reminder that even trusted tools can be weaponized. The attack vector relies on user interaction (running idp on a malicious file), making it a social engineering or supply chain risk. Ensure all radare2 installations are updated to version 6.1.4 or later immediately. Educate your teams on the dangers of processing untrusted files, especially those from external or unverified sources.
What This Means For You
- If your security or development teams use radare2 for reverse engineering or binary analysis, you are exposed. Attackers can leverage this CVE-2026-40517 vulnerability to execute arbitrary OS commands on analyst workstations, leading to full system compromise. Patch radare2 to version 6.1.4 or higher immediately and enforce strict policies on handling untrusted PDB files.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-40517 - Radare2 Command Injection via Malicious PDB
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-40517 | Command Injection | radare2 versions prior to 6.1.4 |
| CVE-2026-40517 | Command Injection | PDB parser's print_gvars() function |
| CVE-2026-40517 | RCE | Malicious PDB file with newline characters in symbol names |
| CVE-2026-40517 | Command Injection | Unsanitized symbol name interpolation in flag rename command |
| CVE-2026-40517 | Command Injection | Execution via 'idp' command against malicious PDB file |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
CVE-2026-6878 — ByteDance Verl Vulnerability
CVE-2026-6878 — A vulnerability was identified in ByteDance verl up to 0.7.0. Affected is the function math_equal of the file prime_math/grader.py. The manipulation leads to...
CVE-2026-6874 — A vulnerability was determined in ericc-ch copilot-api up
CVE-2026-6874 — A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header...
IBM Storage Console Flaw: Unauthenticated RCE Risk
CVE-2026-5935 — IBM Total Storage Service Console (TSSC) / TS4500 IMC 9.2, 9.3, 9.4, 9.5, 9.6 TSSC/IMC could allow an unauthenticated user to execute arbitrary commands...