CVE-2026-41015
Received Received - Intake
Command Injection in radare2 rabin2 -PP on UNIX Without SSL

Publication date: 2026-04-16

Last updated on: 2026-04-16

Assigner: MITRE

Description
radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41015
EUVD
EUVD-2026-23161
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
radareorg radare2 to 6.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41015 is a command injection vulnerability in the radare2 tool, specifically in the rabin2 utility's handling of PDB (Program Database) filenames when downloading PDB files on UNIX systems without SSL support.

The vulnerability arises because the function responsible for escaping shell strings (`r_str_escape_sh`) assumes that escaped strings will be enclosed in double quotes. However, the actual shell command construction used single quotes inconsistently, allowing an attacker to inject malicious shell commands by crafting a PDB filename containing special characters like single quotes.

This flaw allows an attacker to break out of the intended command encapsulation and execute arbitrary shell commands during the PDB download process invoked by the `rabin2 -PP` command.

Impact Analysis

This vulnerability can lead to arbitrary command execution on the affected system when a malicious PDB filename is processed by the vulnerable radare2 version configured without SSL.

An attacker who can supply a crafted PDB filename can execute shell commands with the privileges of the user running radare2, potentially leading to system compromise, data theft, or further exploitation.

Because the vulnerability has a high CVSS score (7.4) with high impact on confidentiality, integrity, and availability, it poses a serious security risk.

Detection Guidance

This vulnerability can be detected by checking if the radare2 installation is built without SSL support and if the rabin2 tool is used with the -PP option to process PDB filenames. A minimal reproduction involves running rabin2 -PP on a crafted PE file whose PDB filename contains malicious payloads with single quotes to test for command injection.

Specifically, you can attempt to run the following command on a system with radare2 built without SSL support:

  • rabin2 -PP <crafted_PE_file_with_malicious_PDB_filename>

If the system executes injected shell commands embedded in the PDB filename, the vulnerability is present.

Mitigation Strategies

Immediate mitigation involves updating radare2 to the latest version from the git master branch where the fix has been merged. The fix properly encloses escaped strings in double quotes in the curl command construction to prevent command injection.

Additionally, avoid using radare2 builds without SSL support if possible, as the vulnerability specifically affects non-SSL UNIX configurations.

As a longer-term measure, the project recommends enforcing a character whitelist on PDB filenames and avoiding the use of system() calls to invoke curl, but the immediate step is to apply the hotfix from the latest git version.

Compliance Impact

The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41015. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart