CVE-2026-40527

Name of the Vulnerable Software and Affected Versions radare2 versions prior to commit bc5a890

Description An issue exists in the 'afsv/afsvj' command path where crafted ELF binaries can embed malicious r2 command sequences as DWARF DW TAG formal parameter names. When the software analyzes a binary using the aaa command and subsequently runs afsvj, unsanitized parameter interpolation in the pfq command string allows for arbitrary shell command execution.

Recommendations Update to the version containing commit bc5a890.