CVE-2026-45181
Hex-Rays IDA Pro Argument Injection via Clang Dependency File
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hex-rays | ida_pro | to 9.3sp2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized code execution by allowing attackers to insert malicious code into the plugins directory of IDA Pro. This can compromise the integrity and security of the affected system, potentially leading to data breaches or further exploitation.
Can you explain this vulnerability to me?
This vulnerability affects Hex-Rays IDA Pro versions 9.2 and 9.3 before 9.3sp2. It involves the software not blocking Clang dependency-file generation through argument injection. This flaw allows attackers to place their own code into the plugins directory if the victim opens a specially crafted attacker-supplied .i64 file.