Cyber Resilience

CVE-2026-40527

HighPublic PoCUpdated

Published: 17 April 2026

Published
17 April 2026
Modified
05 June 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0092 55.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40527 is a high-severity OS Command Injection (CWE-78) vulnerability in Radare Radare2. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked in the top 44.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-40527 is a command injection vulnerability (CWE-78) in radare2 prior to commit bc5a890. The flaw exists in the afsv/afsvj command path, where crafted ELF binaries can embed malicious radare2 command sequences as DWARF DW_TAG_formal_parameter names. This enables unsanitized parameter interpolation in the pfq command string when radare2 analyzes the binary.

An attacker with local access can exploit the vulnerability by crafting an ELF binary containing shell commands in DWARF parameter names. A user analyzing the binary with radare2's 'aaa' command followed by 'afsvj' will trigger execution of the embedded commands, achieving arbitrary shell command execution on the host. The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts requiring user interaction.

Mitigation requires updating radare2 to commit bc5a890 or later, as detailed in the fixing commit at https://github.com/radareorg/radare2/commit/bc5a89033db3ecb5b1f7bf681fc6ba4dcfc14683 and pull request https://github.com/radareorg/radare2/pull/25821. Further analysis is provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/radare2-command-injection-via-dwarf-parameter-names.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter…

more

names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The command injection in radare2 enables arbitrary shell command execution when a user analyzes a crafted malicious ELF binary (via 'aaa' then 'afsvj'), directly mapping to T1204.002 (user opens malicious file) and T1059.004 (Unix Shell for injected commands).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40499Same product: Radare Radare2
CVE-2026-40517Same product: Radare Radare2
CVE-2026-6941Same product: Radare Radare2
CVE-2026-8696Same product: Radare Radare2
CVE-2026-8695Same product: Radare Radare2
CVE-2026-6940Same product: Radare Radare2
CVE-2025-1744Same product: Radare Radare2
CVE-2025-1864Same product: Radare Radare2
CVE-2025-33206Shared CWE-78
CVE-2026-44465Shared CWE-78

Affected Assets

radare
radare2
≤ 6.1.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires patching radare2 to commit bc5a890 or later to remediate the command injection vulnerability in the afsv/afsvj command path.

prevent

Mandates validation and sanitization of untrusted inputs like DWARF DW_TAG_formal_parameter names to block their malicious interpolation into pfq command strings.

detect

Vulnerability scanning and monitoring identifies outdated radare2 versions vulnerable to command injection via crafted ELF binaries.

References