EUVD-2026-36006Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Ghidra before 12.1 contains a path traversal vulnerability in SameDirDebugInfoProvider that fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. Attackers can craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis.
AnalysisAI
Path traversal in Ghidra's SameDirDebugInfoProvider (versions before 12.1) enables filesystem probing and CRC32 hash leakage of arbitrary files when a user opens a crafted ELF binary during automatic DWARF analysis. The vulnerability stems from missing validation of filenames embedded in ELF .gnu_debuglink sections before those filenames are used to construct filesystem paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Active user interaction is required (CVSS UI:A): the victim must open the malicious ELF binary in Ghidra, and automatic DWARF analysis must execute - this is the default analysis profile in Ghidra. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score is 4.6 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An adversary embeds a .gnu_debuglink section in a malicious ELF binary containing a crafted filename with traversal sequences such as '../../../../etc/shadow'. The binary is delivered to a Ghidra analyst via phishing, a shared sample repository, or as part of a CTF challenge. … |
| Remediation | Upgrade to Ghidra 12.1 or later, which contains the vendor-released patch for this vulnerability per the advisory GHSA-57g6-7qw2-p5hx at https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-57g6-7qw2-p5hx. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens
Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking
Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the
Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application
Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted bin
Share
External POC / Exploit Code
Leaving vuln.today