High severity7.8NVD Advisory· Published Apr 15, 2026· Updated May 1, 2026

CVE-2026-40499

Description

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.

Affected products

Radare/Radare2
cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*
Range: <=6.1.4

Patches

5590c87deeb7

https://github.com/radareorg/radare2via nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397nvdPatch
github.com/radareorg/radare2/issues/25752nvdExploitIssue TrackingThird Party Advisory
www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-print-gvarsnvdThird Party Advisory
github.com/radareorg/radare2/releases/tag/6.1.4nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000