Cyber Posture

CVE-2026-41015

High

Published: 16 April 2026

Published
16 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41015 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of software flaws, directly addressing this command injection vulnerability by mandating updates to radare2 commit 9236f44 or later.

SI-10 Information Input Validation good match
prevent

Mandates automated validation of information inputs to tools like rabin2, preventing command injection via malicious PDB names.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Enables vulnerability scanning and monitoring to identify the command injection flaw in vulnerable radare2 versions for prompt remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Command injection in radare2 rabin2 tool on UNIX systems enables client application exploitation (T1203) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable…

more

code was less than a week, occurring after 6.1.2 but before 6.1.3.

Deeper analysisAI

CVE-2026-41015 is a command injection vulnerability (CWE-78) affecting radare2 versions before the commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2, specifically when configured on UNIX systems without SSL. The issue arises in the rabin2 tool via the -PP option, where a malicious PDB name can inject commands. The vulnerable code existed for less than a week, spanning versions after 6.1.2 but before 6.1.3. Radare2 users are advised to use the latest version from Git rather than formal releases.

The vulnerability has a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation requires local access with high attack complexity but no privileges or user interaction. A local attacker can leverage a crafted PDB name passed to rabin2 -PP to execute arbitrary commands, potentially achieving high impacts on confidentiality, integrity, and availability.

Mitigation involves updating to radare2 commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2 or later, as detailed in the project's SECURITY.md file, the fixing commit, and associated GitHub issue #25650 and pull request #25651.

Details

CWE(s)
CWE-78

CVEs Like This One

CVE-2026-24844Shared CWE-78
CVE-2026-40032Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-39862Shared CWE-78
CVE-2026-40030Shared CWE-78
CVE-2026-33412Shared CWE-78
CVE-2026-6849Shared CWE-78
CVE-2026-5485Shared CWE-78
CVE-2026-34714Shared CWE-78
CVE-2026-33874Shared CWE-78

References