CVE-2026-40517
Published: 22 April 2026
Summary
CVE-2026-40517 is a high-severity OS Command Injection (CWE-78) vulnerability in Radare Radare2. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the command injection flaw in radare2 versions prior to 6.1.4.
Mandates validation of untrusted inputs like symbol names in PDB files to block command injection via unsanitized interpolation.
Enables scanning for and correction of the specific vulnerability in installed radare2 instances to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection in radare2's PDB parser enables arbitrary OS command execution when a user loads a malicious PDB file via the 'idp' command, directly mapping to exploitation for client execution (T1203), user execution of a malicious file (T1204.002), and command/script interpreters (T1059).
NVD Description
radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands…
more
through unsanitized symbol name interpolation in the flag rename command, which are then executed when a user runs the idp command against the malicious PDB file, enabling arbitrary OS command execution through radare2's shell execution operator.
Deeper analysisAI
CVE-2026-40517 is a command injection vulnerability (CWE-78) in radare2 versions prior to 6.1.4, specifically within the PDB parser's print_gvars() function. The flaw arises from unsanitized symbol name interpolation during the flag rename command, allowing attackers to inject arbitrary radare2 commands via newline characters embedded in crafted PDB file symbol names. Published on 2026-04-22, the vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires a local attacker to provide a malicious PDB file, tricking a user into running the "idp" command against it in radare2. This triggers execution of the injected radare2 commands, which leverage the tool's shell execution operator to run arbitrary OS commands on the user's system. No privileges are needed beyond user interaction to load the file, potentially leading to full compromise of the local environment.
Advisories recommend upgrading to radare2 6.1.4 or later, where the issue is addressed via a patch in GitHub pull request #25731. Further technical details and analysis appear in the associated GitHub issue #25730, a Calif.io blog post on the discovery, and a VulnCheck advisory.
Details
- CWE(s)