Medium severity6.6NVD Advisory· Published Apr 23, 2026· Updated Apr 27, 2026
CVE-2026-6941
CVE-2026-6941
Description
radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.
Affected products
1Patches
14bcdee725ff0Ignore symlinked notes ##projects
2 files changed · +49 −0
libr/core/project.c+5 −0 modified@@ -813,6 +813,11 @@ R_API char *r_core_project_notes_file(RCore *core, const char *prj_name) { const char *prjdir = r_config_get (core->config, "dir.projects"); char *prjpath = r_file_abspath (prjdir); char *notes_txt = r_file_new (prjpath, prj_name, "notes.txt", NULL); + char *link = notes_txt? r_file_readlink (notes_txt): NULL; + if (link && strcmp (link, notes_txt)) { + R_FREE (notes_txt); + } + free (link); free (prjpath); return notes_txt; }
test/db/cmd/projects+44 −0 modified@@ -676,6 +676,50 @@ EXPECT=<<EOF EOF RUN +NAME=Ignore symlinked notes in an imported .zrp project +FILE=bins/elf/analysis/main +ARGS=-n +CMDS=<<EOF +e prj.vc=false +e dir.projects = /tmp/r2r-project-import-notes +!rm -rf /tmp/r2r-project-import-notes /tmp/r2r-zrp-malicious /tmp/r2r-zrp-outside /tmp/r2r-malicious.zrp +!mkdir -p /tmp/r2r-zrp-malicious/evil /tmp/r2r-zrp-outside +!printf '# r2 rdb project file\n' > /tmp/r2r-zrp-malicious/evil/rc.r2 +!ln -sf /tmp/r2r-zrp-outside/owned.txt /tmp/r2r-zrp-malicious/evil/notes.txt +!cd /tmp/r2r-zrp-malicious && zip -y -r /tmp/r2r-malicious.zrp evil >/dev/null +Pzi /tmp/r2r-malicious.zrp > /dev/null +P evil > /dev/null +Pn hello +!python3 -c "import os; print('clean' if not os.path.exists('/tmp/r2r-zrp-outside/owned.txt') else 'written')" +!rm -rf /tmp/r2r-project-import-notes /tmp/r2r-zrp-malicious /tmp/r2r-zrp-outside /tmp/r2r-malicious.zrp +EOF +EXPECT=<<EOF +clean +EOF +RUN + +NAME=Import a .zrp project without symlinked notes +FILE=bins/elf/analysis/main +ARGS=-n +CMDS=<<EOF +e prj.vc=false +e dir.projects = /tmp/r2r-project-import-ok +!rm -rf /tmp/r2r-project-import-ok /tmp/r2r-zrp-regular /tmp/r2r-regular.zrp +!mkdir -p /tmp/r2r-zrp-regular/ok +!printf '# r2 rdb project file\n' > /tmp/r2r-zrp-regular/ok/rc.r2 +!printf 'SAFE_NOTE\n' > /tmp/r2r-zrp-regular/ok/notes.txt +!cd /tmp/r2r-zrp-regular && zip -r /tmp/r2r-regular.zrp ok >/dev/null +Pzi /tmp/r2r-regular.zrp > /dev/null +P ok > /dev/null +Pn +!rm -rf /tmp/r2r-project-import-ok /tmp/r2r-zrp-regular /tmp/r2r-regular.zrp +EOF +EXPECT=<<EOF +SAFE_NOTE + +EOF +RUN + NAME=Delete a saved project and used directory (with Pd) FILE=bins/elf/analysis/main ARGS=-n
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/radareorg/radare2/commit/4bcdee725ff0754ed721a98789c0af371c5f32a4nvdPatch
- github.com/radareorg/radare2/pull/25831nvdExploitIssue TrackingThird Party Advisory
- www.vulncheck.com/advisories/radare2-project-notes-path-traversal-via-symlinknvdThird Party Advisory
News mentions
1- A Deep Dive Into Attempted Exploitation of CVE-2023-33538Unit 42 · Apr 16, 2026