Radare2 Command Injection Flaw Exposes Analysis Workflow

The National Vulnerability Database (NVD) has detailed a critical command injection vulnerability, CVE-2026-40527, affecting radare2. This flaw resides in the afsv/afsvj command path. Attackers can embed malicious radare2 commands within DWARF formal parameter names in crafted ELF binaries. When radare2 analyzes such a binary with the ‘aaa’ command and then executes ‘afsvj’, these embedded commands are interpolated unsanitized, leading to arbitrary shell command execution on the analyst’s system.

This vulnerability carries a HIGH CVSS score of 7.8. The exploit vector is local (AV:L), requires no privileges (PR:N), but needs user interaction (UI:R) through the analyst running the command on a malicious file. The impact is significant, allowing for High Confidentiality, Integrity, and Availability (C:H/I:H/A:H) loss. While specific affected products beyond radare2 itself aren’t detailed by NVD, the core issue lies in how radare2 parses and executes commands derived from binary metadata.

Defenders analyzing potentially malicious binaries with radare2 must immediately update to a version post commit bc5a890. For organizations that cannot patch immediately, extreme caution is advised when analyzing untrusted ELF files. Consider isolating analysis environments or using sandboxed instances to mitigate the risk of arbitrary code execution during the reverse engineering process.