CVE-2026-40499

HighPublic PoC

Published: 15 April 2026

Published

15 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0003 10.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40499 is a high-severity OS Command Injection (CWE-78) vulnerability in Radare Radare2. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the command injection vulnerability by requiring timely flaw remediation through patching radare2 to version 6.1.4 or later.

SI-10 Information Input Validation good match

prevent

Prevents command injection by enforcing validation and sanitization of untrusted inputs like PDB file section header names to block newlines and malicious payloads.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Identifies vulnerable radare2 installations via vulnerability scanning, enabling proactive remediation before exploitation of the PDB parser flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Command injection in radare2 client app via malicious PDB file enables T1203 (client exploitation) and requires user opening of malicious file for T1204.002.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious…

PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

Deeper analysisAI

CVE-2026-40499 is a command injection vulnerability (CWE-78) in radare2 versions prior to 6.1.4, affecting the PDB parser's print_gvars() function. The flaw arises when a newline byte is embedded in the PE section header name field of a malicious PDB file, enabling injection of arbitrary r2 commands. These commands execute when the idp command processes the file, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker with no privileges can exploit this vulnerability by convincing a user to load a specially crafted PDB file using radare2's idp command. User interaction is required, such as opening the file in radare2 for analysis. Successful exploitation allows arbitrary command execution within the radare2 environment, potentially leading to high confidentiality, integrity, and availability impacts on the local system.

Mitigation involves updating to radare2 version 6.1.4 or later, where the issue is fixed via commit 5590c87deeb7eb2a106fd7aab9ca88bfeebb7397. Security practitioners should avoid processing untrusted PDB files with the idp command and review the GitHub issue #25752 and VulnCheck advisory for additional details.