{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-41015/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-41015"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["radare2","command-injection","cve-2026-41015","linux"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-41015 is a command injection vulnerability affecting radare2, a reverse engineering framework, when configured on UNIX systems without SSL. The vulnerability occurs in the \u003ccode\u003erabin2\u003c/code\u003e utility, specifically when processing Program Database (PDB) files with the \u003ccode\u003e-PP\u003c/code\u003e option. An attacker can inject arbitrary commands into the PDB name, which are then executed by the system. This vulnerability exists within a specific commit range after version 6.1.2 and before 6.1.3 (commit 9236f44). While radare2 encourages users to use the latest git version, the short timeframe of the vulnerable code increases the risk for users who have not updated within that period. Exploitation could lead to complete system compromise if the radare2 process has sufficient privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable radare2 installation configured on a UNIX system without SSL.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious PDB file name containing embedded OS commands.\u003c/li\u003e\n\u003cli\u003eAttacker supplies the crafted PDB file name as input to the \u003ccode\u003erabin2 -PP\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erabin2\u003c/code\u003e processes the PDB name without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe embedded OS commands within the PDB name are executed by the system.\u003c/li\u003e\n\u003cli\u003eAttacker gains arbitrary code execution within the context of the radare2 process.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the initial access to escalate privileges.\u003c/li\u003e\n\u003cli\u003eAttacker performs malicious actions such as data exfiltration, system compromise, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-41015 allows an attacker to execute arbitrary commands on the affected system. This can lead to complete system compromise, including data theft, malware installation, or denial of service. The impact is particularly severe if radare2 is running with elevated privileges. The number of potential victims is dependent on the number of radare2 installations running vulnerable versions and configurations, but it is estimated to be relatively low due to the specific configuration requirements and the short lifespan of the vulnerable code in the git repository.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch from commit 9236f44 to remediate the command injection vulnerability in radare2.\u003c/li\u003e\n\u003cli\u003eAvoid configuring radare2 on UNIX systems without SSL to reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eradare2-suspicious-rabin2-execution\u003c/code\u003e to detect exploitation attempts involving the \u003ccode\u003erabin2\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003erabin2\u003c/code\u003e with unusual command-line arguments as indicated by the rule \u003ccode\u003eradare2-rabin2-pdb-injection\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T03:16:27Z","date_published":"2026-04-16T03:16:27Z","id":"/briefs/2026-04-radare2-cmd-injection/","summary":"Radare2 before commit 9236f44, when configured on UNIX without SSL, is vulnerable to command injection via a PDB name passed to rabin2 -PP, potentially allowing arbitrary code execution.","title":"Radare2 Command Injection Vulnerability (CVE-2026-41015)","url":"https://feed.craftedsignal.io/briefs/2026-04-radare2-cmd-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-41015","version":"https://jsonfeed.org/version/1.1"}