Radare2 — CraftedSignal Threat Feed

Radare2 Path Traversal Vulnerability in Project Deletion

hello@craftedsignal.io — Thu, 23 Apr 2026 21:16:06 +0000

Radare2, a reverse engineering framework, is susceptible to a path traversal vulnerability (CVE-2026-6940) affecting versions prior to 6.1.4. This flaw allows a local attacker to delete arbitrary directories outside of the intended project storage location. By crafting project marker files with absolute paths that escape the configured dir.projects root directory, an attacker can trick the radare2 process into recursively deleting directories they should not have access to. This vulnerability poses a significant risk to system integrity and availability, as attackers can potentially delete critical system files or data. This vulnerability was published on 2026-04-23 and could be exploited immediately.

Attack Chain

Attacker gains local access to a system with radare2 installed.
Attacker identifies the location where radare2 stores project files (configured by dir.projects).
Attacker crafts a malicious radare2 project file containing an absolute path pointing outside the designated project directory. This path includes traversal sequences (e.g., ../) to escape the dir.projects root.
The attacker places the malicious project marker file in a location where radare2 will discover it (e.g. a default projects directory).
Attacker uses radare2’s project deletion functionality, specifying the malicious project for deletion.
Radare2, without proper validation of the project file path, recursively deletes the directory specified in the crafted path.
This deletion occurs with the permissions of the radare2 process, potentially allowing the attacker to delete files and directories they would normally not have access to.
The attacker achieves arbitrary directory deletion, leading to loss of system integrity and availability.

Impact

Successful exploitation of this vulnerability allows a local attacker to recursively delete arbitrary directories on the affected system. This can lead to significant data loss, system instability, and denial of service. The CVSS v3.1 base score for this vulnerability is 7.1, indicating a high level of severity. While no specific victim numbers or sector targeting have been disclosed, the potential impact on any system running a vulnerable version of radare2 is substantial.

Recommendation

Upgrade radare2 to version 6.1.4 or later to patch CVE-2026-6940.
Implement the process creation rule below to detect suspicious radare2 executions that could indicate exploitation attempts.
Consider limiting local user access to systems running radare2 to reduce the attack surface.

Radare2 Command Injection Vulnerability (CVE-2026-41015)

hello@craftedsignal.io — Thu, 16 Apr 2026 03:16:27 +0000

CVE-2026-41015 is a command injection vulnerability affecting radare2, a reverse engineering framework, when configured on UNIX systems without SSL. The vulnerability occurs in the rabin2 utility, specifically when processing Program Database (PDB) files with the -PP option. An attacker can inject arbitrary commands into the PDB name, which are then executed by the system. This vulnerability exists within a specific commit range after version 6.1.2 and before 6.1.3 (commit 9236f44). While radare2 encourages users to use the latest git version, the short timeframe of the vulnerable code increases the risk for users who have not updated within that period. Exploitation could lead to complete system compromise if the radare2 process has sufficient privileges.

Attack Chain

Attacker identifies a vulnerable radare2 installation configured on a UNIX system without SSL.
Attacker crafts a malicious PDB file name containing embedded OS commands.
Attacker supplies the crafted PDB file name as input to the rabin2 -PP command.
rabin2 processes the PDB name without proper sanitization.
The embedded OS commands within the PDB name are executed by the system.
Attacker gains arbitrary code execution within the context of the radare2 process.
Attacker leverages the initial access to escalate privileges.
Attacker performs malicious actions such as data exfiltration, system compromise, or denial of service.

Impact

Successful exploitation of CVE-2026-41015 allows an attacker to execute arbitrary commands on the affected system. This can lead to complete system compromise, including data theft, malware installation, or denial of service. The impact is particularly severe if radare2 is running with elevated privileges. The number of potential victims is dependent on the number of radare2 installations running vulnerable versions and configurations, but it is estimated to be relatively low due to the specific configuration requirements and the short lifespan of the vulnerable code in the git repository.

Recommendation

Apply the patch from commit 9236f44 to remediate the command injection vulnerability in radare2.
Avoid configuring radare2 on UNIX systems without SSL to reduce the attack surface.
Deploy the Sigma rule radare2-suspicious-rabin2-execution to detect exploitation attempts involving the rabin2 command.
Monitor process execution for rabin2 with unusual command-line arguments as indicated by the rule radare2-rabin2-pdb-injection.

radare2 PDB Parser Command Injection Vulnerability (CVE-2026-40517)

hello@craftedsignal.io — Wed, 24 Jan 2024 12:00:00 +0000

A command injection vulnerability, identified as CVE-2026-40517, affects radare2 versions prior to 6.1.4. This flaw resides within the PDB parser’s print_gvars() function. An attacker can exploit this vulnerability by creating a malicious PDB file containing newline characters within symbol names. These newline characters enable the injection of arbitrary radare2 commands, which are then executed due to unsanitized symbol name interpolation. This interpolation occurs during the execution of the idp command against the malicious PDB file. Successful exploitation allows the attacker to achieve arbitrary OS command execution through radare2’s shell execution operator, posing a significant risk to systems where radare2 is used for binary analysis.

Attack Chain

Attacker crafts a malicious PDB file. This file contains newline characters embedded within symbol names.
The crafted PDB file is delivered to the target system, potentially through social engineering or as part of a larger attack chain.
A user, unaware of the malicious nature of the PDB file, attempts to analyze it using radare2.
The user executes the idp command within radare2 to parse and load debug symbols from the PDB file.
During the parsing process, the print_gvars() function is called within the PDB parser.
The function attempts to rename flags based on the symbol names read from the PDB file.
Due to the lack of proper sanitization, the newline characters in the symbol names are interpreted as command separators.
The injected radare2 commands are executed by the shell execution operator, leading to arbitrary OS command execution. The attacker achieves arbitrary command execution on the system.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the system where radare2 is running. The impact ranges from system compromise and data theft to denial of service, depending on the privileges of the user running radare2 and the commands injected by the attacker. The CVSS v3.1 base score is rated as 7.8 (High).

Recommendation

Upgrade radare2 to version 6.1.4 or later to patch CVE-2026-40517.
Implement strict input validation and sanitization for PDB files processed by radare2 to prevent command injection.
Deploy the Sigma rule Detect Suspicious Radare2 Process Execution to identify potential exploitation attempts.
Monitor radare2 process execution for unusual command line arguments (see Detect Suspicious Radare2 Process Execution).