CVE-2026-40499

Vulnerability Description

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

Vulnerability Details

Published Date

April 15, 2026

Last Modified

April 20, 2026

CWE ID

CWE-78

Source

NVD

Vendor

radareorg

Product

radare2

External References

https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero
https://github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397
https://github.com/radareorg/radare2/issues/25752
https://github.com/radareorg/radare2/pull/25731
https://github.com/radareorg/radare2/releases/tag/6.1.4
https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-print-gvars

CVE-2026-40499

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment