CVE-2026-49497
Received Received - Intake
Path Traversal in Ghidra Debug Info Provider

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-49497
EUVD
EUVD-2026-36006
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
national_security_agency ghidra to 12.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49497 is a path traversal vulnerability in Ghidra versions before 12.1, specifically in the SameDirDebugInfoProvider component. This vulnerability occurs because Ghidra does not properly validate filenames extracted from the .gnu_debuglink section of ELF binaries.

Attackers can craft malicious ELF binaries containing path traversal sequences (like ../../../../../../../etc/shadow) that cause Ghidra to probe the local filesystem for the existence of arbitrary files. During automatic DWARF analysis, Ghidra reads these filenames without sanitization, constructs file paths, and if the targeted files exist, it reads them and leaks their CRC32 hashes.

This leakage of CRC32 hashes can expose sensitive filesystem information to an attacker, especially in automated analysis pipelines where log outputs might be captured and returned to the binary submitter.

Impact Analysis

This vulnerability can impact you by allowing an attacker to probe your filesystem for the existence of arbitrary files and leak CRC32 hashes of their contents. This can reveal sensitive information about your system's files without requiring privileges.

If you use Ghidra to analyze ELF binaries, opening a maliciously crafted binary could cause Ghidra to automatically perform these probes and leak information through logs or analysis outputs.

In automated analysis environments, this information leakage could be captured and sent back to the attacker, potentially exposing details about your filesystem structure and file contents.

Detection Guidance

This vulnerability is triggered when Ghidra imports ELF binaries containing malicious .gnu_debuglink sections with path traversal sequences. Detection involves monitoring Ghidra's DWARF analysis logs for unexpected file path accesses or CRC32 hash computations of files outside the expected directories.

Since the vulnerability occurs during ELF import in Ghidra, you can detect exploitation attempts by checking for suspicious log entries or file access patterns indicating path traversal sequences like "../../" in filenames processed by SameDirDebugInfoProvider.

There are no specific commands provided in the resources, but general detection steps include:

  • Review Ghidra logs for file paths containing traversal sequences or unexpected file hashes.
  • Monitor ELF binaries imported into Ghidra for suspicious .gnu_debuglink section filenames with path traversal patterns.
  • Use file integrity monitoring tools to detect unexpected file reads or hash computations triggered by Ghidra.
Mitigation Strategies

The primary mitigation is to upgrade Ghidra to version 12.1 or later, where the vulnerability is fixed by applying filename validation (ensureSafeFilename()) in the SameDirDebugInfoProvider component.

Until the upgrade is possible, avoid importing untrusted or suspicious ELF binaries with potentially malicious .gnu_debuglink sections into Ghidra.

Additionally, consider disabling automatic DWARF analysis or external debug file resolution features in Ghidra if feasible, to reduce exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart