Cyber Resilience

CVE-2026-41015

High

Published: 16 April 2026

Published
16 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0001 2.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-41015 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41015 is a command injection vulnerability (CWE-78) affecting radare2 versions before the commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2, specifically when configured on UNIX systems without SSL. The issue arises in the rabin2 tool via the -PP option, where a malicious PDB name can inject commands. The vulnerable code existed for less than a week, spanning versions after 6.1.2 but before 6.1.3. Radare2 users are advised to use the latest version from Git rather than formal releases.

The vulnerability has a CVSS v3.1 base score of 7.4 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation requires local access with high attack complexity but no privileges or user interaction. A local attacker can leverage a crafted PDB name passed to rabin2 -PP to execute arbitrary commands, potentially achieving high impacts on confidentiality, integrity, and availability.

Mitigation involves updating to radare2 commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2 or later, as detailed in the project's SECURITY.md file, the fixing commit, and associated GitHub issue #25650 and pull request #25651.

EU & UK References

Vulnerability details

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable…

more

code was less than a week, occurring after 6.1.2 but before 6.1.3.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in radare2 rabin2 tool on UNIX systems enables client application exploitation (T1203) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24844Shared CWE-78
CVE-2025-1244Shared CWE-78
CVE-2026-39862Shared CWE-78
CVE-2026-5485Shared CWE-78
CVE-2026-40030Shared CWE-78
CVE-2026-40032Shared CWE-78
CVE-2026-33412Shared CWE-78
CVE-2026-6849Shared CWE-78
CVE-2026-34714Shared CWE-78
CVE-2026-33874Shared CWE-78

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of software flaws, directly addressing this command injection vulnerability by mandating updates to radare2 commit 9236f44 or later.

prevent

Mandates automated validation of information inputs to tools like rabin2, preventing command injection via malicious PDB names.

detect

Enables vulnerability scanning and monitoring to identify the command injection flaw in vulnerable radare2 versions for prompt remediation.

References