CVE-2026-41015 PUBLISHED

Assigner: mitre
Reserved: 16.04.2026 Published: 16.04.2026 Updated: 16.04.2026

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 7.4

Attack Vector	Local	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	radare
Product	radare2
Versions	Default: unaffected affected from 01ca2f61fa43bd3f4b732447de31b16039d820c0 to 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2 (excl.)

References

https://github.com/radareorg/radare2/issues/25650
https://github.com/radareorg/radare2/pull/25651
https://github.com/radareorg/radare2/blob/9236f44a28812fe911814e1b3a7bcf1e4de5d3c2/SECURITY.md?plain=1#L3-L5
https://github.com/radareorg/radare2/commit/9236f44a28812fe911814e1b3a7bcf1e4de5d3c2

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE