CVE-2026-40499

radare2 < 6.1.4 Command Injection via PDB Parser print_gvars()

CVSS 8.4 HIGHEPSS 1.2%CWE-78

In short

radare2, a popular reverse engineering tool, has a flaw in how it reads PDB debug files. An attacker can create a malicious PDB file with hidden commands in the section names, which get executed when the tool processes it, allowing them to run arbitrary code.

Technical detail

The PDB parser's print_gvars() function fails to properly sanitize section header names, allowing command injection through embedded newline bytes. When the idp command processes a crafted PDB file, unsanitized input is passed to a command execution context, enabling arbitrary command execution on the analyst's system.

Summary generated and translated by AI from the official description.

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

radareorg · radare2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397 https://github.com/radareorg/radare2/issues/25752 https://github.com/radareorg/radare2/releases/tag/6.1.4 https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-print-gvars