Cyber Resilience

CVE-2026-40499

HighPublic PoC

Published: 15 April 2026

Published
15 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 8.4 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0118 63.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40499 is a high-severity OS Command Injection (CWE-78) vulnerability in Radare Radare2. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 36.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40499 is a command injection vulnerability (CWE-78) in radare2 versions prior to 6.1.4, affecting the PDB parser's print_gvars() function. The flaw arises when a newline byte is embedded in the PE section header name field of a malicious PDB file, enabling injection of arbitrary r2 commands. These commands execute when the idp command processes the file, with a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A local attacker with no privileges can exploit this vulnerability by convincing a user to load a specially crafted PDB file using radare2's idp command. User interaction is required, such as opening the file in radare2 for analysis. Successful exploitation allows arbitrary command execution within the radare2 environment, potentially leading to high confidentiality, integrity, and availability impacts on the local system.

Mitigation involves updating to radare2 version 6.1.4 or later, where the issue is fixed via commit 5590c87deeb7eb2a106fd7aab9ca88bfeebb7397. Security practitioners should avoid processing untrusted PDB files with the idp command and review the GitHub issue #25752 and VulnCheck advisory for additional details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious…

more

PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Command injection in radare2 client app via malicious PDB file enables T1203 (client exploitation) and requires user opening of malicious file for T1204.002.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40517Same product: Radare Radare2
CVE-2026-40527Same product: Radare Radare2
CVE-2026-8696Same product: Radare Radare2
CVE-2026-8695Same product: Radare Radare2
CVE-2025-1744Same product: Radare Radare2
CVE-2026-6941Same product: Radare Radare2
CVE-2026-6940Same product: Radare Radare2
CVE-2025-1864Same product: Radare Radare2
CVE-2026-6942Same vendor: Radare
CVE-2026-33874Shared CWE-78

Affected Assets

radare
radare2
≤ 6.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the command injection vulnerability by requiring timely flaw remediation through patching radare2 to version 6.1.4 or later.

prevent

Prevents command injection by enforcing validation and sanitization of untrusted inputs like PDB file section header names to block newlines and malicious payloads.

detect

Identifies vulnerable radare2 installations via vulnerability scanning, enabling proactive remediation before exploitation of the PDB parser flaw.

References