CVE-2026-41015
Command Injection in radare2 rabin2 -PP on UNIX Without SSL
Publication date: 2026-04-16
Last updated on: 2026-04-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| radareorg | radare2 | to 6.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not include any details about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-41015 is a command injection vulnerability in the radare2 tool, specifically in the rabin2 utility's handling of PDB (Program Database) filenames when downloading PDB files on UNIX systems without SSL support.
The vulnerability arises because the function responsible for escaping shell strings (`r_str_escape_sh`) assumes that escaped strings will be enclosed in double quotes. However, the actual shell command construction used single quotes inconsistently, allowing an attacker to inject malicious shell commands by crafting a PDB filename containing special characters like single quotes.
This flaw allows an attacker to break out of the intended command encapsulation and execute arbitrary shell commands during the PDB download process invoked by the `rabin2 -PP` command.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary command execution on the affected system when a malicious PDB filename is processed by the vulnerable radare2 version configured without SSL.
An attacker who can supply a crafted PDB filename can execute shell commands with the privileges of the user running radare2, potentially leading to system compromise, data theft, or further exploitation.
Because the vulnerability has a high CVSS score (7.4) with high impact on confidentiality, integrity, and availability, it poses a serious security risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the radare2 installation is built without SSL support and if the rabin2 tool is used with the -PP option to process PDB filenames. A minimal reproduction involves running rabin2 -PP on a crafted PE file whose PDB filename contains malicious payloads with single quotes to test for command injection.
Specifically, you can attempt to run the following command on a system with radare2 built without SSL support:
- rabin2 -PP <crafted_PE_file_with_malicious_PDB_filename>
If the system executes injected shell commands embedded in the PDB filename, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves updating radare2 to the latest version from the git master branch where the fix has been merged. The fix properly encloses escaped strings in double quotes in the curl command construction to prevent command injection.
Additionally, avoid using radare2 builds without SSL support if possible, as the vulnerability specifically affects non-SSL UNIX configurations.
As a longer-term measure, the project recommends enforcing a character whitelist on PDB filenames and avoiding the use of system() calls to invoke curl, but the immediate step is to apply the hotfix from the latest git version.