CVE-2026-40527
Published: 17 April 2026
Summary
CVE-2026-40527 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires patching radare2 to commit bc5a890 or later to remediate the command injection vulnerability in the afsv/afsvj command path.
Mandates validation and sanitization of untrusted inputs like DWARF DW_TAG_formal_parameter names to block their malicious interpolation into pfq command strings.
Vulnerability scanning and monitoring identifies outdated radare2 versions vulnerable to command injection via crafted ELF binaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection in radare2 enables arbitrary shell command execution when a user analyzes a crafted malicious ELF binary (via 'aaa' then 'afsvj'), directly mapping to T1204.002 (user opens malicious file) and T1059.004 (Unix Shell for injected commands).
NVD Description
radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter…
more
names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string.
Deeper analysisAI
CVE-2026-40527 is a command injection vulnerability (CWE-78) in radare2 prior to commit bc5a890. The flaw exists in the afsv/afsvj command path, where crafted ELF binaries can embed malicious radare2 command sequences as DWARF DW_TAG_formal_parameter names. This enables unsanitized parameter interpolation in the pfq command string when radare2 analyzes the binary.
An attacker with local access can exploit the vulnerability by crafting an ELF binary containing shell commands in DWARF parameter names. A user analyzing the binary with radare2's 'aaa' command followed by 'afsvj' will trigger execution of the embedded commands, achieving arbitrary shell command execution on the host. The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), reflecting high confidentiality, integrity, and availability impacts requiring user interaction.
Mitigation requires updating radare2 to commit bc5a890 or later, as detailed in the fixing commit at https://github.com/radareorg/radare2/commit/bc5a89033db3ecb5b1f7bf681fc6ba4dcfc14683 and pull request https://github.com/radareorg/radare2/pull/25821. Further analysis is provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/radare2-command-injection-via-dwarf-parameter-names.
Details
- CWE(s)