CVE-2026-45181
Hex-Rays IDA Pro Argument Injection via Clang Dependency File
Publication date: 2026-05-09
Last updated on: 2026-05-10
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hex-rays | ida_pro | to 9.3sp2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-88 | The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized code execution by allowing attackers to insert malicious code into the plugins directory of IDA Pro. This can compromise the integrity and security of the affected system, potentially leading to data breaches or further exploitation.
Can you explain this vulnerability to me?
This vulnerability affects Hex-Rays IDA Pro versions 9.2 and 9.3 before 9.3sp2. It involves the software not blocking Clang dependency-file generation through argument injection. This flaw allows attackers to place their own code into the plugins directory if the victim opens a specially crafted attacker-supplied .i64 file.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if Hex-Rays IDA Pro versions 9.2 or 9.3 before 9.3sp2 are in use, especially if attacker-supplied .i64 files are opened.
Since the vulnerability exploits argument injection via the Clang-based type parser and the generation of dependency files to place malicious code in the plugins directory, monitoring for unexpected file writes or plugin directory modifications after loading .i64 files can help detect exploitation attempts.
Specific commands are not provided in the resources, but general approaches include:
- Checking the version of IDA Pro installed to confirm if it is vulnerable.
- Monitoring file system changes in the IDA plugins directory for unexpected Python or other script files.
- Using file integrity monitoring tools to detect unauthorized modifications.
- Reviewing logs or audit trails for suspicious activity related to loading .i64 files.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update Hex-Rays IDA Pro to version 9.3sp2 or later, where the vulnerability has been patched by restricting permitted Clang flags and fixing argument injection issues.
Additional immediate steps include:
- Avoid opening untrusted or attacker-supplied .i64 files in vulnerable versions of IDA Pro.
- Monitor and restrict write permissions to the IDA plugins directory to prevent unauthorized code placement.
- Apply general security best practices such as running IDA Pro with least privilege and enabling audit logging.
Users are advised to download the latest IDA installer from the official Hex-Rays portal to ensure all security and stability fixes are applied.