VYPR
High severity7.8NVD Advisory· Published Apr 17, 2026· Updated Jun 5, 2026

CVE-2026-40527

CVE-2026-40527

Description

radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Radare/Radare2references3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*range: <6.1.6
    • (no CPE)range: < commit bc5a890

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.