{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40499", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-13T20:29:02.808Z", "datePublished": "2026-04-15T02:05:20.899Z", "dateUpdated": "2026-04-15T02:05:20.899Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-15T02:05:20.899Z"}, "title": "radare2 < 6.1.4 Command Injection via PDB Parser print_gvars()", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "affected": [{"vendor": "radareorg", "product": "radare2", "versions": [{"status": "affected", "version": "0", "lessThan": "6.1.4", "versionType": "semver"}, {"status": "unaffected", "version": "5590c87deeb7eb2a106fd7aab9ca88bfeebb7397", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file.<br>"}]}], "references": [{"url": "https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero", "tags": ["technical-description", "exploit"]}, {"url": "https://github.com/radareorg/radare2/pull/25731", "tags": ["issue-tracking"]}, {"url": "https://github.com/radareorg/radare2/issues/25752", "tags": ["issue-tracking"]}, {"url": "https://github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397", "tags": ["patch"]}, {"url": "https://github.com/radareorg/radare2/releases/tag/6.1.4", "tags": ["release-notes"]}, {"url": "https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-print-gvars", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "credits": [{"lang": "en", "value": "junrong of Calif", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's print_gvars() function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted section names to inject r2 commands that are executed when the idp command processes the file."}], "id": "CVE-2026-40499", "lastModified": "2026-04-15T04:17:48.330", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-15T04:17:48.330", "references": [{"source": "disclosure@vulncheck.com", "url": "https://blog.calif.io/p/mad-bugs-discovering-a-0-day-in-zero"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/radareorg/radare2/commit/5590c87deeb7eb2a106fd7aab9ca88bfeebb7397"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/radareorg/radare2/issues/25752"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/radareorg/radare2/pull/25731"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/radareorg/radare2/releases/tag/6.1.4"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/radare2-command-injection-via-pdb-parser-print-gvars"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,6.1.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "code_commit", "value": "5590c87deeb7eb2a106fd7aab9ca88bfeebb7397"}}], "enrichment": {"confidence": 90.0, "confidence_source": "matching", "scores": [{"score": 90.0, "source": "matching"}]}, "original": {"product": "radare2", "source": "cna", "vendor": "radareorg"}, "product": "radare2", "vendor": "radare"}], "analysis": {"en": {"generated_at": "2026-04-15T03:20:17.208423+00:00", "value": {"mitigation_remediation": ["Upgrade radare2 to version 6.1.4 or later", "Avoid loading untrusted PDB files with the idp command until a patch is applied", "Monitor system logs for unexpected command execution or unauthorized PDB file usage"], "summary": {"action": "Update", "impact": "Arbitrary Command Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects radare2 from radareorg, all releases prior to 6.1.4. Users running 6.0.x, 6.1.0, 6.1.1, 6.1.2 or 6.1.3 are impacted. Version 6.1.4 and later contain the fix.", "description_and_impact": "radare2 versions older than 6.1.4 contain a command injection flaw in the PDB parser\u2019s print_gvars() function. An attacker can embed a newline byte in a PE section header name field and craft a malicious PDB file so that r2 commands are injected and executed when the idp command processes the file. This weakness is an OS command injection (CWE\u201178) that allows the execution of arbitrary commands in the environment where radare2 runs.", "risk_and_exploitability": "The CVSS score of 8.4 classifies this as a high severity vulnerability. No EPSS score is available and the issue is not listed in the CISA KEV catalog. The attack vector is inferred to be local: an attacker must be able to supply a malicious PDB file to radare2. If the tool processes user\u2011controlled PDB data, the attacker can execute arbitrary r2 commands, potentially escalating to system\u2011level commands. The absence of a publicly known exploitable pattern suggests the exploitability is moderate, but the high severity and ability to impact the user\u2019s environment warrant prompt remediation."}}}}, "created": "2026-04-15T13:44:47.520419+00:00", "updated": "2026-04-15T13:49:14.870022+00:00", "vendors": ["radare", "radare$PRODUCT$radare2"]}