{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/radare2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-6940"}],"_cs_exploited":false,"_cs_products":["radare2"],"_cs_severities":["high"],"_cs_tags":["path-traversal","radare2","local-privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["radare"],"content_html":"\u003cp\u003eRadare2, a reverse engineering framework, is susceptible to a path traversal vulnerability (CVE-2026-6940) affecting versions prior to 6.1.4. This flaw allows a local attacker to delete arbitrary directories outside of the intended project storage location. By crafting project marker files with absolute paths that escape the configured \u003ccode\u003edir.projects\u003c/code\u003e root directory, an attacker can trick the radare2 process into recursively deleting directories they should not have access to. This vulnerability poses a significant risk to system integrity and availability, as attackers can potentially delete critical system files or data. This vulnerability was published on 2026-04-23 and could be exploited immediately.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a system with radare2 installed.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the location where radare2 stores project files (configured by \u003ccode\u003edir.projects\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious radare2 project file containing an absolute path pointing outside the designated project directory. This path includes traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to escape the \u003ccode\u003edir.projects\u003c/code\u003e root.\u003c/li\u003e\n\u003cli\u003eThe attacker places the malicious project marker file in a location where radare2 will discover it (e.g. a default projects directory).\u003c/li\u003e\n\u003cli\u003eAttacker uses radare2\u0026rsquo;s project deletion functionality, specifying the malicious project for deletion.\u003c/li\u003e\n\u003cli\u003eRadare2, without proper validation of the project file path, recursively deletes the directory specified in the crafted path.\u003c/li\u003e\n\u003cli\u003eThis deletion occurs with the permissions of the radare2 process, potentially allowing the attacker to delete files and directories they would normally not have access to.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary directory deletion, leading to loss of system integrity and availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to recursively delete arbitrary directories on the affected system. This can lead to significant data loss, system instability, and denial of service. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of severity. While no specific victim numbers or sector targeting have been disclosed, the potential impact on any system running a vulnerable version of radare2 is substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade radare2 to version 6.1.4 or later to patch CVE-2026-6940.\u003c/li\u003e\n\u003cli\u003eImplement the process creation rule below to detect suspicious radare2 executions that could indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider limiting local user access to systems running radare2 to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T21:16:06Z","date_published":"2026-04-23T21:16:06Z","id":"/briefs/2026-04-radare2-path-traversal/","summary":"Radare2 versions prior to 6.1.4 are vulnerable to a path traversal in project deletion, allowing local attackers to recursively delete arbitrary directories by escaping the 'dir.projects' root, leading to integrity and availability loss.","title":"Radare2 Path Traversal Vulnerability in Project Deletion","url":"https://feed.craftedsignal.io/briefs/2026-04-radare2-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-40517"}],"_cs_exploited":false,"_cs_products":["radare2"],"_cs_severities":["high"],"_cs_tags":["command-injection","radare2","CVE-2026-40517"],"_cs_type":"advisory","_cs_vendors":["radare"],"content_html":"\u003cp\u003eA command injection vulnerability, identified as CVE-2026-40517, affects radare2 versions prior to 6.1.4. This flaw resides within the PDB parser\u0026rsquo;s \u003ccode\u003eprint_gvars()\u003c/code\u003e function. An attacker can exploit this vulnerability by creating a malicious PDB file containing newline characters within symbol names. These newline characters enable the injection of arbitrary radare2 commands, which are then executed due to unsanitized symbol name interpolation. This interpolation occurs during the execution of the \u003ccode\u003eidp\u003c/code\u003e command against the malicious PDB file. Successful exploitation allows the attacker to achieve arbitrary OS command execution through radare2\u0026rsquo;s shell execution operator, posing a significant risk to systems where radare2 is used for binary analysis.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious PDB file. This file contains newline characters embedded within symbol names.\u003c/li\u003e\n\u003cli\u003eThe crafted PDB file is delivered to the target system, potentially through social engineering or as part of a larger attack chain.\u003c/li\u003e\n\u003cli\u003eA user, unaware of the malicious nature of the PDB file, attempts to analyze it using radare2.\u003c/li\u003e\n\u003cli\u003eThe user executes the \u003ccode\u003eidp\u003c/code\u003e command within radare2 to parse and load debug symbols from the PDB file.\u003c/li\u003e\n\u003cli\u003eDuring the parsing process, the \u003ccode\u003eprint_gvars()\u003c/code\u003e function is called within the PDB parser.\u003c/li\u003e\n\u003cli\u003eThe function attempts to rename flags based on the symbol names read from the PDB file.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper sanitization, the newline characters in the symbol names are interpreted as command separators.\u003c/li\u003e\n\u003cli\u003eThe injected radare2 commands are executed by the shell execution operator, leading to arbitrary OS command execution. The attacker achieves arbitrary command execution on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the system where radare2 is running. The impact ranges from system compromise and data theft to denial of service, depending on the privileges of the user running radare2 and the commands injected by the attacker. The CVSS v3.1 base score is rated as 7.8 (High).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade radare2 to version 6.1.4 or later to patch CVE-2026-40517.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for PDB files processed by radare2 to prevent command injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Radare2 Process Execution\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor radare2 process execution for unusual command line arguments (see \u003ccode\u003eDetect Suspicious Radare2 Process Execution\u003c/code\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-radare2-command-injection/","summary":"A command injection vulnerability exists in radare2 versions prior to 6.1.4, where a crafted PDB file with newline characters in symbol names can inject arbitrary radare2 commands, leading to arbitrary OS command execution.","title":"radare2 PDB Parser Command Injection Vulnerability (CVE-2026-40517)","url":"https://feed.craftedsignal.io/briefs/2024-01-radare2-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Radare2","version":"https://jsonfeed.org/version/1.1"}