Primary

Context

Hex-Rays IDA Pro Clang Dependency-File Generation Vulnerability Allowing Code Injection

Vulnerability

Patched

A vulnerability exists in Hex-Rays IDA Pro versions 9.2 and 9.3 prior to 9.3sp2, where the application does not properly restrict Clang dependency-file generation. This oversight allows attackers to inject code into a .i64 file, which can then be placed into a plugin directory used by IDA Pro.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution within the IDA Pro environment, potentially allowing for the creation of malicious plugins that could be executed by the user.

Added: May 9, 2026, 10:18 PM

Updated: May 9, 2026, 10:18 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

4.2

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

2.5

exploitability

4.2

remediation

7.7

relevance

7.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Hex-Rays IDA Pro Clang Dependency-File Generation Vulnerability Allowing Code Injection

Vulnerability

Impact

Affected Products

Hex-Rays IDA Pro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating