Nixpkgs security tracker

Permalink CVE-2026-41015

7.4 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 4 weeks, 1 day ago by @LeSuisse Activity log

Created suggestion 4 weeks, 1 day ago
@LeSuisse dismissed 4 weeks, 1 day ago

radare2 before 9236f44, when configured on UNIX without SSL, allows …

radare2 before 9236f44, when configured on UNIX without SSL, allows command injection via a PDB name to rabin2 -PP. NOTE: although users are supposed to use the latest version from git (not a release), the date range for the vulnerable code was less than a week, occurring after 6.1.2 but before 6.1.3.

References

Affected products

radare2

<9236f44a28812fe911814e1b3a7bcf1e4de5d3c2

Matching in nixpkgs

pkgs.radare2

UNIX-like reverse engineering framework and command-line toolset

nixos-unstable 6.1.2
- nixpkgs-unstable 6.1.2
- nixos-unstable-small 6.1.2
nixos-25.11 6.1.2
- nixos-25.11-small 6.1.2
- nixpkgs-25.11-darwin 6.1.2

Package maintainers

@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@Mic92 Jörg Thalheim <joerg@thalheim.io>
@azahi Azat Bahawi <azat@bahawi.net>
@makefu Felix Richter <makefu@syntax-fehler.de>
@arkivm Vikram Narayanan <vikram186@gmail.com>

Not impacted, issue occurred after the 6.1.2 tag

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.radare2

Package maintainers