Radare2 Vulnerability: Command Injection via PDB Name

The National Vulnerability Database (NVD) has detailed a critical command injection vulnerability, CVE-2026-41015, impacting radare2, a powerful reverse engineering framework. The flaw resides in the rabin2 -PP command when radare2 is configured on UNIX-based systems without SSL enabled. Attackers can exploit this by supplying a malicious PDB (Program Database) name, leading to arbitrary command execution.

While radare2 users are generally advised to pull the latest code from Git rather than relying on release versions, the window of vulnerability was exceptionally narrow. NVD notes that the affected code existed between versions 6.1.2 and 6.1.3, a period lasting less than a week. Despite this short timeframe, the severity is significant, rated as HIGH with a CVSS score of 7.4.

The Common Vulnerability Scoring System (CVSS) vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H indicates a local attack vector (AV:L), though the exploit requires a high complexity (AC:H) and no privileges (PR:N) or user interaction (UI:N). The impact is high across confidentiality, integrity, and availability (C:H/I:H/A:H). This vulnerability falls under CWE-78, which specifically addresses OS command injection flaws.