CVE-2026-49497: Ghidra Path Traversal in Debug Symbol Resolution
Ghidra, the NSA's reverse-engineering framework, contains a path traversal flaw in its debug symbol handler. When you open a malicious ELF binary, Ghidra automatically tries to load debugging information referenced in the binary's .gnu_debuglink section. An attacker can craft that section with path traversal sequences (like "../") to trick Ghidra into checking whether arbitrary files exist on your system and leaking their CRC32 checksums. This is a local attack—the attacker needs you to open a malicious file—but it can reveal information about your system's filesystem structure and contents.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.3 LOW · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-22
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Ghidra's SameDirDebugInfoProvider component, which handles DWARF debug symbol resolution. When parsing the .gnu_debuglink section of an ELF binary, the provider constructs file paths without sanitizing the filename field for directory traversal sequences. During automatic DWARF analysis, if Ghidra attempts to load a debug file at an attacker-controlled path (e.g., "../../../../etc/passwd"), the path traversal allows probing of filesystem existence. Additionally, CRC32 hash values computed or validated during this process can leak information about files outside the intended debug directory. An attacker must deliver a crafted ELF binary to the analyst, and the analyst must open it in Ghidra with automatic debug symbol loading enabled (the default behavior).
Business impact
Reverse-engineers, malware analysts, and security researchers who use Ghidra face a subtle information disclosure risk. A sophisticated adversary distributing a malicious binary could exploit this to map out your system's directory structure or confirm the presence of sensitive files (e.g., detecting whether a particular software installation exists). While CRC32 leakage is not a direct password compromise, it can facilitate offline attacks against file contents if the attacker knows candidate files to compare. For most organizations, the impact is low because the attack requires user interaction and yields only indirect filesystem metadata, but security teams handling untrusted binaries should be aware that opening them in Ghidra may reveal environmental details.
Affected systems
Ghidra versions before 12.1 are affected. The vulnerability is present across all platforms (Linux, Windows, macOS) where Ghidra runs, because the vulnerable code is in the core debug symbol resolution logic. Any user or team using Ghidra for binary analysis with versions prior to 12.1 should be considered at risk if they regularly analyze binaries from untrusted sources.
Exploitability
Exploitability is limited by the requirement for user interaction: the analyst must open a malicious ELF binary in Ghidra. There is no remote attack surface. The attack does not require authentication, elevated privileges on the victim's system, or complex environment setup. However, crafting an effective payload requires knowledge of the target system's likely file structure and willingness to distribute a malicious binary. The information disclosed (filesystem existence and CRC32 hashes) is not immediately actionable for most attacks, making this a reconnaissance-level threat rather than a direct compromise vector. Notably, this vulnerability does not appear on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no documented active exploitation in the wild as of the publication date.
Remediation
Upgrade to Ghidra 12.1 or later, which patches the path traversal by implementing proper filename validation in SameDirDebugInfoProvider. If immediate patching is not possible, consider disabling automatic debug symbol loading in Ghidra's preferences (Analyze > Debug > DWARF) when analyzing untrusted binaries, though this will reduce debugging symbol availability. Avoid opening ELF binaries from unverified sources or suspicious distributions.
Patch guidance
Apply the Ghidra 12.1 update or verify the latest available release from the NSA's official Ghidra repository. The patch addresses input validation for filenames in the .gnu_debuglink section, preventing traversal sequences from being interpreted literally in path construction. Verify that your Ghidra installation updates automatically or check https://github.com/NationalSecurityAgency/ghidra for the latest release notes confirming this CVE is resolved.
Detection guidance
Detection is difficult because the attack is local and occurs during normal binary analysis. Network-based detection is not applicable. Host-level detection might monitor Ghidra's file access patterns for unusual filesystem traversal, though this would require endpoint detection and response (EDR) tools configured to flag file access anomalies in reverse-engineering workflows. A practical control is to audit which binaries analysts open in Ghidra and cross-reference against sources; if analysts report opening unexpectedly distributed binaries, investigate them for signs of crafted debug sections. Ghidra does not emit obvious warnings when debug files are not found, so the attack may succeed silently.
Why prioritize this
Although this vulnerability has a CVSS score of 3.3 (LOW severity), it merits attention because it affects a widely-used security research tool. The information disclosure impact—filesystem mapping and file presence confirmation—can be valuable to attackers planning multi-stage campaigns. However, the requirement for user interaction and the lack of active exploitation in the wild lower the urgency. Prioritize patching Ghidra if your team regularly analyzes binaries from external sources or if analysts handle potentially malicious samples as part of security research. For organizations using Ghidra only on trusted internal binaries, remediation can follow a standard patch cycle.
Risk score, explained
The CVSS 3.1 score of 3.3 reflects low overall risk: attack vector is local (AV:L), attack complexity is low (AC:L), no privileges are required (PR:N), and user interaction is required (UI:R). Confidentiality impact is low (C:L)—information about files is disclosed, but not the contents themselves. Integrity and availability are not impacted (I:N, A:N). The score correctly captures that this is an information disclosure vulnerability with limited scope and no path to system compromise. However, context matters: the score does not account for the fact that Ghidra is a specialized tool used by defenders, making widespread exploitation unlikely, and it does not weight the potential intelligence value of the disclosed metadata to a sophisticated adversary.
Frequently asked questions
Can an attacker exploit this vulnerability remotely?
No. This is a local vulnerability that requires an attacker to deliver a malicious ELF binary to a user and have that user open it in Ghidra. There is no network attack surface.
What information does the attacker gain, and how is it useful?
The attacker can confirm whether arbitrary files exist on the analyst's filesystem and obtain CRC32 checksums of those files. This is useful for reconnaissance—mapping the system's software inventory, detecting installed tools, or confirming the presence of specific files. The CRC32 values themselves do not compromise file contents, but an attacker with prior knowledge of a file can verify its identity offline.
Should we disable automatic debug symbol loading entirely?
Disabling automatic debug loading will prevent this attack but will also reduce the utility of Ghidra's DWARF support when analyzing legitimate binaries. A balanced approach is to keep it enabled for trusted samples and disable it only when analyzing binaries from unknown or suspicious sources. Alternatively, upgrade to Ghidra 12.1 to obtain the security fix without losing functionality.
Is this vulnerability currently being exploited in the wild?
No. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no documented evidence of active exploitation as of the publication date. However, this does not guarantee future safety; patching proactively is still recommended.
This analysis is based on the vulnerability description and CVSS assessment published on 2026-06-10 (modified 2026-07-14). No active exploitation has been documented in CISA's KEV catalog. Security intelligence is subject to change as new information emerges. Patch availability and version numbers should be verified against the official NSA Ghidra repository. This advisory is for informational purposes and does not constitute security advice for any specific organization; tailor your risk assessment and remediation timeline based on your use of Ghidra and exposure to untrusted binary samples. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-52752HIGHGhidra Path Traversal in Extension Installer (CVSS 7.8)
- CVE-2026-52755HIGHGhidra Path Traversal in Theme Import – HIGH Severity RCE Risk
- CVE-2026-52756MEDIUMGhidra IsfServer Path Traversal Vulnerability
- CVE-2026-10264LOWPath Traversal in lharries whatsapp-mcp 0.0.1
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)