CVE-2026-49497

Vulnerability

Ghidra versions prior to 12.1 contain a path traversal vulnerability within the SameDirDebugInfoProvider class. This vulnerability arises because the class fails to validate filenames extracted from ELF binary .gnu_debuglink sections before constructing file paths. The sibling class LocalDirDebugLinkProvider includes a ensureSafeFilename() check, but this protection is missing in SameDirDebugInfoProvider [1].

Exploitation

An attacker can craft a malicious ELF binary containing traversal sequences within its .gnu_debuglink section. When a reverse engineer opens this binary in Ghidra, the DWARF analyzer, which is enabled by default, will process the .gnu_debuglink filename. The SameDirDebugInfoProvider.getFile() method then uses this untrusted filename to construct a file path, potentially leading to path traversal [1, 2].

Impact

Successful exploitation allows an attacker to probe the existence of arbitrary files on the filesystem by observing Ghidra's behavior. Furthermore, if a file exists and its CRC32 hash matches the one embedded in the .gnu_debuglink section, Ghidra will leak this CRC32 hash to its logs, effectively leaking information about the file's content [1, 2].

Mitigation

Ghidra version 12.1 and later have addressed this vulnerability. No workarounds are specified in the available references. The vulnerability is listed under CWE-22 [2].