CVE-2026-41015 Overview
CVE-2026-41015 is a command injection vulnerability in radare2, a popular open-source reverse engineering framework. When radare2 is configured on UNIX systems without SSL support, an attacker can inject arbitrary commands via a maliciously crafted PDB (Program Database) name when using the rabin2 -PP command. This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
The vulnerable code existed in a narrow window between versions 6.1.2 and 6.1.3, with the fix committed as 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2. While radare2 recommends users always run the latest version from git rather than releases, this vulnerability could affect users running development builds during that period.
Critical Impact
Attackers can execute arbitrary system commands with the privileges of the user running rabin2, potentially leading to full system compromise.
Affected Products
- radare2 development versions after 6.1.2 but before commit 9236f44
- radare2 installations on UNIX without SSL configured
- Systems using rabin2 -PP for PDB file processing
Discovery Timeline
- 2026-04-16 - CVE-2026-41015 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2026-41015
Vulnerability Analysis
This command injection vulnerability originates from improper quoting in shell command construction within radare2's socket HTTP handling code. When radare2 is built without SSL support on UNIX systems, it falls back to using curl for HTTP requests, including downloading PDB files. The vulnerability exists in how the curl command is constructed in libr/socket/socket_http.c.
The flawed code used single quotes to wrap filenames in the curl command construction. Single quotes in shell environments do not provide adequate protection against all forms of command injection, particularly when an attacker controls input that can contain shell metacharacters. An attacker who can control the PDB filename (such as through a malicious binary or by manipulating file paths) can break out of the single-quoted context and inject arbitrary commands.
Root Cause
The root cause is insufficient input sanitization and improper quoting in shell command construction. The vulnerable code used single quotes (') around user-controlled filenames when building the curl command string. Single quotes in Bash and similar shells prevent variable expansion but can be escaped or bypassed through specific character sequences, allowing command injection when the input is attacker-controlled.
Attack Vector
This is a local attack vector that requires the attacker to either:
- Provide a malicious binary with a crafted PDB path that triggers command injection when analyzed with rabin2 -PP
- Manipulate file paths or filenames in a way that injects commands into the curl invocation
- Exploit scenarios where untrusted binaries are automatically analyzed
The attack requires radare2 to be configured without SSL support, forcing the use of the external curl command rather than internal HTTPS handling.
// Security patch in libr/socket/socket_http.c
// Fix #25650 - Command injection in curl PDB download
return NULL;
}
RStrBuf *sb = r_strbuf_new ("curl -s -D ");
- r_strbuf_appendf (sb, "'%s' -o '%s' -L --max-redirs %u", escaped_header_file, escaped_body_file, redirections);
+ r_strbuf_appendf (sb, "\"%s\" -o \"%s\" -L --max-redirs %u", escaped_header_file, escaped_body_file, redirections);
if (headers) {
const char **header = headers;
while (*header) {
Source: GitHub Commit Details
Detection Methods for CVE-2026-41015
Indicators of Compromise
- Unexpected curl processes spawned by rabin2 with unusual command-line arguments
- Shell metacharacters or command sequences appearing in PDB file paths
- Unusual child processes spawned from rabin2 or radare2 processes
- Suspicious network connections or file system modifications following rabin2 execution
Detection Strategies
- Monitor process creation events for rabin2 spawning unexpected child processes
- Implement command-line logging and alerting for shell metacharacters in rabin2 arguments
- Use file integrity monitoring on systems where radare2 is deployed for automated analysis
- Deploy endpoint detection rules that flag command injection patterns in reverse engineering tool usage
Monitoring Recommendations
- Enable comprehensive process auditing on systems running radare2
- Log all rabin2 invocations with full command-line arguments
- Monitor for unusual network activity following binary analysis operations
- Implement sandboxing for automated binary analysis workflows
How to Mitigate CVE-2026-41015
Immediate Actions Required
- Update radare2 to a version containing commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2 or later
- Upgrade to radare2 version 6.1.3 or newer
- Configure radare2 with SSL support to avoid the vulnerable curl fallback code path
- Avoid analyzing untrusted binaries with rabin2 -PP until patched
Patch Information
The vulnerability was fixed in commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2. The fix changes the quoting mechanism from single quotes to double quotes with proper escaping, providing better protection against command injection. Users should update to version 6.1.3 or later, or pull the latest development version from the official radare2 git repository.
For detailed information about the fix, see the GitHub Commit Details. Additional context is available in the GitHub Issue Discussion and GitHub Pull Request Review.
Workarounds
- Build radare2 with SSL support enabled to use internal HTTPS handling instead of curl
- Run radare2 analysis in isolated containers or sandboxed environments
- Implement strict input validation on any automated binary analysis pipelines
- Temporarily disable PDB downloading functionality if not required
# Build radare2 with SSL support to avoid vulnerable code path
git clone https://github.com/radareorg/radare2
cd radare2
./configure --with-ssl
make
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
