CVE-2026-45181 Blog CVE debrief

Who should care

IDA Pro users and administrators, especially anyone who opens or analyzes .i64 files from untrusted or third-party sources. Security teams that rely on IDA in shared workstations, reverse-engineering labs, or malware-analysis environments should also treat this as relevant.

Technical summary

NVD describes the weakness as CWE-88 (argument injection). The supplied CVE record says IDA Pro before 9.3sp2 does not block Clang dependency-file generation via injected arguments. In the reported scenario, an attacker-supplied .i64 file can influence that behavior enough to place attacker-controlled code into a plugins directory. The issue is tied to local interaction (UI:R) and has CVSS 3.1 vector AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L.

Defensive priority

Prioritize patching if your environment opens untrusted .i64 files or uses IDA on shared systems. The score is medium (6.5), but the workflow impact can be meaningful because the flaw is triggered through analysis of attacker-supplied project files.

Recommended defensive actions

• Upgrade Hex-Rays IDA Pro to 9.3sp2 or later.
• Treat .i64 files from untrusted sources as high risk and isolate their analysis.
• Restrict where IDA can read and write files during analysis to reduce the impact of file-placement behavior.
• Review plugin directories and related startup paths for unexpected or newly added files after analyzing suspicious projects.
• Update internal guidance for reverse-engineering or malware-analysis workflows to include this CVE.

Evidence notes

Based only on the supplied CVE record and official references. The CVE description states the affected products, the pre-9.3sp2 condition, the Clang dependency-file generation/argument-injection issue, and the .i64-triggered plugin-directory write outcome. NVD lists CWE-88 and the CVSS 3.1 vector AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L. Published 2026-05-09 and modified 2026-05-10; no KEV entry was supplied.

Official resources