High severity7.8NVD Advisory· Published Apr 17, 2026· Updated Apr 20, 2026

CVE-2026-40527

Description

radare2 prior to commit bc5a890 contains a command injection vulnerability in the afsv/afsvj command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW_TAG_formal_parameter names. Attackers can craft a binary with shell commands in DWARF parameter names that execute when radare2 analyzes the binary with aaa and subsequently runs afsvj, allowing arbitrary shell command execution through the unsanitized parameter interpolation in the pfq command string.

Affected products

Radareorg/Radare2references

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/radareorg/radare2/commit/bc5a89033db3ecb5b1f7bf681fc6ba4dcfc14683nvd
github.com/radareorg/radare2/pull/25821nvd
www.vulncheck.com/advisories/radare2-command-injection-via-dwarf-parameter-namesnvd

News mentions

A Deep Dive Into Attempted Exploitation of CVE-2023-33538
Unit 42 · Apr 16, 2026

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000