Ghidra < 12.1 - Path Traversal via .gnu_debuglink in DWARF External Debug File Resolution
CVE-2026-49497

4.6MEDIUM

Key Information:

Vendor: Nationalsecurityagency
Status: Ghidra
Vendor: CVE Published:; 10 June 2026

🔔 Create Nationalsecurityagency Vulnerability Alert

What is CVE-2026-49497?

Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis.

Affected Version(s)

ghidra 0 < 12.1

ghidra 12.1

References

https://github.com/NationalSecurityAgency/ghidra/security...

vendor-advisory

https://www.vulncheck.com/advisories/ghidra-path-traversa...

third-party-advisory

CVSS V4

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
May 31, 2026

Credit

Donghwoo Cho

CVE-2026-49497 Data

JSON