High severity7.8NVD Advisory· Published Apr 17, 2026· Updated Jun 5, 2026
CVE-2026-40527
CVE-2026-40527
Description
radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
3- github.com/radareorg/radare2/commit/bc5a89033db3ecb5b1f7bf681fc6ba4dcfc14683nvdPatch
- github.com/radareorg/radare2/pull/25821nvdIssue TrackingPatchExploit
- www.vulncheck.com/advisories/radare2-command-injection-via-dwarf-parameter-namesnvdThird Party Advisory
News mentions
0No linked articles in our index yet.