CVE-2026-52752: Ghidra Path Traversal in Extension Installer (CVSS 7.8)
Ghidra, the NSA's open-source reverse-engineering framework, contains a flaw in how it handles user-installed extensions. When you install an extension (a ZIP file that adds features), the software doesn't properly check whether filenames inside that ZIP are trying to escape the extension directory using path-traversal tricks like '../'. A malicious actor can create a specially crafted extension that, when installed, writes files anywhere on your system where Ghidra has write access—potentially including executable locations that would let them run arbitrary code with the same privileges as your user account.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-22
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
Ghidra before 12.0.2 contains a path traversal vulnerability in the extension installer that fails to validate ZIP entry names during extraction. Attackers can craft malicious extensions with traversal sequences like ../ in filenames to write arbitrary files outside the intended directory, enabling code execution.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-52752 is a path-traversal vulnerability (CWE-22) in Ghidra's extension installation mechanism. The vulnerability exists because the extension installer does not validate ZIP entry names before extraction, allowing an attacker to include traversal sequences (e.g., '../') in archived filenames. During extraction, these sequences are interpreted literally, permitting writes to arbitrary filesystem locations outside the designated extension directory. This can result in arbitrary code execution when the malicious payload is executed by the Ghidra process. The attack requires user interaction—a user must explicitly install the malicious extension—making social engineering or supply-chain compromise potential attack vectors. Affected versions are those prior to 12.0.2.
Business impact
For organizations using Ghidra in security research, malware analysis, or reverse-engineering workflows, this vulnerability represents a significant operational risk. An attacker distributing a trojanized extension through official channels, third-party repositories, or social engineering could compromise analyst workstations. Given that Ghidra is commonly deployed in security operations centers and forensics labs where sensitive analysis occurs, a successful exploit could lead to lateral movement into sensitive networks, exfiltration of reverse-engineering findings, or compromise of the analysis environment itself. The damage is amplified if analysts routinely process samples from untrusted sources, as the attack chain becomes seamless: download sample → open in Ghidra → install 'helpful' extension → compromise.
Affected systems
This vulnerability affects all releases of Ghidra prior to version 12.0.2. Ghidra is primarily used by security researchers, reverse engineers, malware analysts, and government/defense organizations. While Ghidra is cross-platform (Windows, macOS, Linux), the vulnerability affects all implementations equally. No specific conditional factors (e.g., non-default configurations) limit exposure—any user of a vulnerable version who installs an untrusted or compromised extension is at risk.
Exploitability
Exploitability is moderate to high in targeted scenarios. The vulnerability requires user interaction—a victim must download and actively install a malicious extension. However, the barrier to exploitation is low from a technical standpoint: crafting a ZIP file with path-traversal filenames is trivial. Distribution vectors are plausible: compromised third-party extension repositories, watering-hole attacks on forums where analysts congregate, or social engineering impersonating official Ghidra extensions. Once installed, execution is automatic and occurs with user privileges. Notably, the vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no widespread active exploitation has been publicly disclosed at this time, though that does not preclude targeted or private exploitation.
Remediation
The definitive remediation is to upgrade to Ghidra version 12.0.2 or later. This patch version implements proper validation of ZIP entry names during extension extraction, rejecting or safely handling traversal sequences. Organizations should verify that patches are deployed across all workstations running Ghidra, particularly those in high-risk environments (SOCs, forensics labs, malware analysis teams). Until patching is complete, enforce a policy prohibiting installation of extensions from untrusted sources and consider disabling the extension installer functionality if not essential to operations.
Patch guidance
NSA has released Ghidra 12.0.2 as the fix for this vulnerability. Administrators should: (1) download the patched version directly from the official NSA Ghidra GitHub repository or authorized distribution channels; (2) verify checksums or signatures to ensure authenticity; (3) test the updated version in a non-production environment to confirm compatibility with existing extensions and workflows; (4) deploy updates to all affected systems, prioritizing analyst workstations and shared servers; (5) document the patch deployment and verify completion. If you maintain custom extensions, review them to ensure they do not inadvertently rely on path-traversal behavior (unlikely, but worth confirming). Verify against the vendor advisory for any post-12.0.2 updates or supplemental guidance.
Detection guidance
Detection at runtime is challenging because the attack occurs during extension installation. However, organizations can implement preventive controls: (1) monitor filesystem access patterns for attempts to write files outside standard Ghidra directories (e.g., via auditd on Linux or Windows file-integrity monitoring); (2) audit extension installation logs and ZIP extraction events if Ghidra or system tools provide visibility; (3) scan downloaded extensions with static analysis tools to detect suspicious filenames containing traversal sequences; (4) inspect the contents of third-party extensions before installation, particularly examining the internal file structure of any ZIP. Endpoint Detection and Response (EDR) tools may flag unusual file writes or process behavior if the malicious payload is executed post-compromise.
Why prioritize this
This vulnerability warrants high priority for organizations running Ghidra. The CVSS score of 7.8 (HIGH) reflects local attack vector, low complexity, and high impact to confidentiality, integrity, and availability. The combination of trivial exploit construction, plausible distribution vectors, and the sensitive nature of environments where Ghidra operates (security research, forensics) elevates practical risk. While current exploitation is not known to be widespread, the vulnerability is easily weaponizable and could be leveraged in targeted campaigns against security organizations. Patching should proceed within standard maintenance windows but should not be delayed indefinitely.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects: (1) Attack Vector: Local (AV:L)—requires local system access, but installation of an extension by the user satisfies this; (2) Attack Complexity: Low (AC:L)—no special conditions required; (3) Privileges Required: None (PR:N)—any user can install extensions; (4) User Interaction: Required (UI:R)—the user must choose to install the malicious extension; (5) Scope: Unchanged (S:U)—impact is confined to the Ghidra process and files it can access; (6) Confidentiality, Integrity, Availability: All High (C:H/I:H/A:H)—arbitrary code execution allows full system compromise from a user perspective. The HIGH severity appropriately captures that successful exploitation grants near-complete control over the Ghidra environment and analyst workstation.
Frequently asked questions
Can I still use Ghidra if I don't install extensions?
Yes. The vulnerability specifically affects the extension installer. If your workflows do not rely on extensions, you can continue using Ghidra, though upgrading to 12.0.2 is still recommended as a best practice and to close the attack surface.
Are official Ghidra extensions from NSA vulnerable to this issue?
Official extensions distributed by NSA do not contain malicious payloads. The vulnerability lies in the validation mechanism, not the official extensions themselves. However, any extension—official or third-party—could theoretically be compromised if its distribution channel is attacked or if you accidentally install a look-alike from an unofficial repository.
What should I do if I've already installed an extension from an untrusted source?
If you suspect compromise, immediately upgrade to version 12.0.2, then conduct a security review of your workstation. Check for unexpected files outside Ghidra directories, review running processes, and consider scanning with antivirus or EDR tools. If analysis data is sensitive (e.g., malware research), treat the workstation as potentially compromised and follow your incident-response procedures.
Does this affect Ghidra deployments on isolated or air-gapped networks?
Yes. Path-traversal vulnerabilities do not require network connectivity to exploit. If an attacker has physical access or can introduce a malicious extension via USB, email attachment, or other offline means, they can still compromise an air-gapped Ghidra installation.
This analysis is provided for informational purposes and reflects publicly available information as of the publication date. SEC.co does not guarantee the accuracy, completeness, or timeliness of vulnerability data. Organizations should verify all patch versions, compatibility, and deployment procedures against official vendor advisories and security bulletins from NSA before implementing changes. This analysis does not constitute legal or compliance advice. Consult your security team, vendor support, and relevant regulatory guidance for your specific environment. No exploit code or weaponized proof-of-concept is provided; this content is intended to support defensive security practices only. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-52755HIGHGhidra Path Traversal in Theme Import – HIGH Severity RCE Risk
- CVE-2026-49497LOWGhidra Path Traversal in Debug Symbol Resolution
- CVE-2026-52756MEDIUMGhidra IsfServer Path Traversal Vulnerability
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-0270HIGHCortex XSOAR Path Traversal on Linux — Exploit Requirements & Patching Guide