Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-41015

CVE-2026-41015: radare2 Command Injection Vulnerability

CVE-2026-41015 is a command injection flaw in radare2 that allows attackers to execute arbitrary commands via PDB name manipulation. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-41015 Overview

CVE-2026-41015 is a command injection vulnerability in radare2, a popular open-source reverse engineering framework. When radare2 is configured on UNIX systems without SSL support, an attacker can inject arbitrary commands via a maliciously crafted PDB (Program Database) name when using the rabin2 -PP command. This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

The vulnerable code existed in a narrow window between versions 6.1.2 and 6.1.3, with the fix committed as 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2. While radare2 recommends users always run the latest version from git rather than releases, this vulnerability could affect users running development builds during that period.

Critical Impact

Attackers can execute arbitrary system commands with the privileges of the user running rabin2, potentially leading to full system compromise.

Affected Products

  • radare2 development versions after 6.1.2 but before commit 9236f44
  • radare2 installations on UNIX without SSL configured
  • Systems using rabin2 -PP for PDB file processing

Discovery Timeline

  • 2026-04-16 - CVE-2026-41015 published to NVD
  • 2026-04-16 - Last updated in NVD database

Technical Details for CVE-2026-41015

Vulnerability Analysis

This command injection vulnerability originates from improper quoting in shell command construction within radare2's socket HTTP handling code. When radare2 is built without SSL support on UNIX systems, it falls back to using curl for HTTP requests, including downloading PDB files. The vulnerability exists in how the curl command is constructed in libr/socket/socket_http.c.

The flawed code used single quotes to wrap filenames in the curl command construction. Single quotes in shell environments do not provide adequate protection against all forms of command injection, particularly when an attacker controls input that can contain shell metacharacters. An attacker who can control the PDB filename (such as through a malicious binary or by manipulating file paths) can break out of the single-quoted context and inject arbitrary commands.

Root Cause

The root cause is insufficient input sanitization and improper quoting in shell command construction. The vulnerable code used single quotes (') around user-controlled filenames when building the curl command string. Single quotes in Bash and similar shells prevent variable expansion but can be escaped or bypassed through specific character sequences, allowing command injection when the input is attacker-controlled.

Attack Vector

This is a local attack vector that requires the attacker to either:

  1. Provide a malicious binary with a crafted PDB path that triggers command injection when analyzed with rabin2 -PP
  2. Manipulate file paths or filenames in a way that injects commands into the curl invocation
  3. Exploit scenarios where untrusted binaries are automatically analyzed

The attack requires radare2 to be configured without SSL support, forcing the use of the external curl command rather than internal HTTPS handling.

c
// Security patch in libr/socket/socket_http.c
// Fix #25650 - Command injection in curl PDB download
 		return NULL;
 	}
 	RStrBuf *sb = r_strbuf_new ("curl -s -D ");
-	r_strbuf_appendf (sb, "'%s' -o '%s' -L --max-redirs %u", escaped_header_file, escaped_body_file, redirections);
+	r_strbuf_appendf (sb, "\"%s\" -o \"%s\" -L --max-redirs %u", escaped_header_file, escaped_body_file, redirections);
 	if (headers) {
 		const char **header = headers;
 		while (*header) {

Source: GitHub Commit Details

Detection Methods for CVE-2026-41015

Indicators of Compromise

  • Unexpected curl processes spawned by rabin2 with unusual command-line arguments
  • Shell metacharacters or command sequences appearing in PDB file paths
  • Unusual child processes spawned from rabin2 or radare2 processes
  • Suspicious network connections or file system modifications following rabin2 execution

Detection Strategies

  • Monitor process creation events for rabin2 spawning unexpected child processes
  • Implement command-line logging and alerting for shell metacharacters in rabin2 arguments
  • Use file integrity monitoring on systems where radare2 is deployed for automated analysis
  • Deploy endpoint detection rules that flag command injection patterns in reverse engineering tool usage

Monitoring Recommendations

  • Enable comprehensive process auditing on systems running radare2
  • Log all rabin2 invocations with full command-line arguments
  • Monitor for unusual network activity following binary analysis operations
  • Implement sandboxing for automated binary analysis workflows

How to Mitigate CVE-2026-41015

Immediate Actions Required

  • Update radare2 to a version containing commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2 or later
  • Upgrade to radare2 version 6.1.3 or newer
  • Configure radare2 with SSL support to avoid the vulnerable curl fallback code path
  • Avoid analyzing untrusted binaries with rabin2 -PP until patched

Patch Information

The vulnerability was fixed in commit 9236f44a28812fe911814e1b3a7bcf1e4de5d3c2. The fix changes the quoting mechanism from single quotes to double quotes with proper escaping, providing better protection against command injection. Users should update to version 6.1.3 or later, or pull the latest development version from the official radare2 git repository.

For detailed information about the fix, see the GitHub Commit Details. Additional context is available in the GitHub Issue Discussion and GitHub Pull Request Review.

Workarounds

  • Build radare2 with SSL support enabled to use internal HTTPS handling instead of curl
  • Run radare2 analysis in isolated containers or sandboxed environments
  • Implement strict input validation on any automated binary analysis pipelines
  • Temporarily disable PDB downloading functionality if not required
bash
# Build radare2 with SSL support to avoid vulnerable code path
git clone https://github.com/radareorg/radare2
cd radare2
./configure --with-ssl
make
sudo make install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.