CVE-2026-40499

UNKNOWN 0.0

radare2 < 6.1.4 Command Injection via PDB Parser print_gvars()

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

32th

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

CWE	CWE-78
Vendor	radareorg
Product	radare2
Published	Apr 15, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for radareorg radare2

Be the first to know when new unknown vulnerabilities affecting radareorg radare2 are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

radareorg / radare2

0 < 6.1.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

blog.calif.io: https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero github.com: https://github.com/radareorg/radare2/issues/25752 github.com: https://github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397 github.com: https://github.com/radareorg/radare2/releases/tag/6.1.4 vulncheck.com: https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-print-gvars

Credits

junrong of Calif