CVE-2026-49497: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in nationalsecurityagency ghidra
Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis.
AI Analysis
Technical Summary
CVE-2026-49497 is a path traversal vulnerability in the nationalsecurityagency's Ghidra software before version 12.1. The issue exists in the SameDirDebugInfoProvider, which does not properly validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. An attacker can craft malicious ELF binaries containing directory traversal sequences to cause Ghidra to access files outside the intended directory. This can be used to probe the filesystem and leak CRC32 hashes of arbitrary files during the DWARF debug information analysis process.
Potential Impact
An attacker can leverage this vulnerability to probe the presence of files on the filesystem and leak CRC32 hashes of arbitrary files. This may lead to information disclosure about the target system's file structure and contents. The vulnerability does not require privileges and can be triggered with user interaction, but it has limited impact as it does not allow direct code execution or full file disclosure.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided, users should monitor the vendor's announcements for updates. Until a fix is available, avoid analyzing untrusted ELF binaries with Ghidra versions prior to 12.1 to reduce exposure.
CVE-2026-49497: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in nationalsecurityagency ghidra
Description
Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis.
CVSS v4.0
Score 4.6medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49497 is a path traversal vulnerability in the nationalsecurityagency's Ghidra software before version 12.1. The issue exists in the SameDirDebugInfoProvider, which does not properly validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. An attacker can craft malicious ELF binaries containing directory traversal sequences to cause Ghidra to access files outside the intended directory. This can be used to probe the filesystem and leak CRC32 hashes of arbitrary files during the DWARF debug information analysis process.
Potential Impact
An attacker can leverage this vulnerability to probe the presence of files on the filesystem and leak CRC32 hashes of arbitrary files. This may lead to information disclosure about the target system's file structure and contents. The vulnerability does not require privileges and can be triggered with user interaction, but it has limited impact as it does not allow direct code execution or full file disclosure.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch link is provided, users should monitor the vendor's announcements for updates. Until a fix is available, avoid analyzing untrusted ELF binaries with Ghidra versions prior to 12.1 to reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-05-31T11:54:34.994Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2967aec9170919df1fd473
Added to database: 6/10/2026, 1:33:34 PM
Last enriched: 6/10/2026, 1:50:18 PM
Last updated: 6/10/2026, 2:37:42 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.