Radare2 · Radare2 · CVE-2026-40517
**Name of the Vulnerable Software and Affected Versions**
radare2 versions prior to 6.1.4
**Description**
A command injection issue exists in the PDB parser's `print gvars()` function. An attacker can execute arbitrary OS commands by crafting a malicious PDB file containing newline characters in symbol names. This occurs due to unsanitized symbol name interpolation in the flag rename command, which triggers the execution of injected radare2 commands when a user runs the `idp` command against the malicious file via radare2's shell execution operator.
**Recommendations**
Update to version 6.1.4 or later.