CVE-2026-49497 | Ghidra before 12.1 contains a path traversal vulnerability i… | CVSS 3.3 LOW

Description

Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis.

Metadata

CVE ID: CVE-2026-49497
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-05-31 11:54 UTC
Published: 2026-06-10 12:37 UTC
Last updated: 2026-06-10 15:09 UTC
Primary CWE: CWE-22
Improper Limitation of a Pathname to a Restricted Directory …
Vendor / Product: nationalsecurityagency / ghidra
Sources: cve.org · NVD

Severity & Metrics

3.3 LOW CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
nationalsecurityagency	ghidra	—	0 < 12.1, 12.1

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores (2)

Score	Severity	Version	Source	Vector
4.6	MEDIUM	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3.3	LOW	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

References (2)

GitHub Security Advisory (GHSA-57g6-7qw2-p5hx) https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-57g6-7qw2-p5hx
https://www.vulncheck.com/advisories/ghidra-path-traversal-via-gnu-debuglink-in-dwarf-external-debug-file-resolution