Platform
c
Component
radare2
Fixed in
6.1.4
CVE-2026-40499 is a command injection vulnerability discovered in radare2 versions prior to 6.1.4. This flaw resides within the PDB parser's print_gvars() function, enabling attackers to execute arbitrary commands. By crafting malicious PDB files with specially crafted section names, an attacker can inject r2 commands that are subsequently executed during file processing, potentially leading to system compromise. The vulnerability is resolved in version 6.1.4.
CVE-2026-40499 in radare2, affecting versions prior to 6.1.4, presents a significant risk due to command injection. The PDB parser, specifically the print_gvars() function, is vulnerable if malicious PDB files are processed. An attacker can inject arbitrary commands into the operating system by embedding a newline byte within a section header name field in the PDB file. When the idp command processes this file, the injected commands are executed, potentially allowing unauthorized code execution, data theft, or system modification. The severity of this vulnerability depends on the context in which radare2 is used and the privileges of the user executing it.
Exploitation of CVE-2026-40499 requires an attacker who can create or modify malicious PDB files. These files contain carefully crafted section names that include newline bytes, enabling command injection. The attacker must ensure that the malicious PDB file is processed through radare2's idp command. This could be achieved by tricking a user into opening the file or by including the file in an automated environment where radare2 is used for file analysis. The effectiveness of the attack depends on the system configuration and the permissions of the user executing radare2.
Exploit Status
EPSS
0.17% (38% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40499 is to update radare2 to version 6.1.4 or later. This version includes a fix addressing the command injection vulnerability in the PDB parser. Additionally, exercise caution when processing PDB files from untrusted sources. Input validation and using a runtime environment with limited privileges can help reduce the potential impact of a successful attack. Monitoring system logs for unusual activity can also aid in detecting and responding to potential exploits.
Actualice a la versión 6.1.4 o posterior para mitigar la vulnerabilidad de inyección de comandos. Esta actualización corrige el problema al validar correctamente los nombres de las secciones en el parser PDB, evitando la ejecución de comandos arbitrarios.
Vulnerability analysis and critical alerts directly to your inbox.
A PDB (Program Database) file is a debugging file used by Microsoft Windows to store information about programs, such as symbols, function names, and source code lines. It's used for debugging and analyzing programs.
Run radare2 --version. If the version is prior to 6.1.4, you are vulnerable. Update to the latest available version.
Currently, there are no specific tools to detect malicious PDB files designed to exploit this vulnerability. Caution and source validation of PDB files are recommended.
Command injection is a type of security vulnerability that allows an attacker to execute arbitrary commands on an operating system by inserting malicious commands into an input that is interpreted as a command.
Isolate the affected system, update radare2 to the latest version, and perform a forensic analysis to determine the scope of the compromise.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.