Home

Description

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.

PUBLISHED Reserved 2026-04-23 | Published 2026-04-23 | Updated 2026-04-24 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.1CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unaffected

Any version before e5fcf56fe038760c872c6dbed432602778fde1ed git
unaffected

Any version before 6.1.4
affected

Credits

Chia Min Jun Lennon finder

References

github.com/radareorg/radare2/pull/25830 (Pull Request) technical-description exploit

github.com/radareorg/radare2/pull/25830/commits (Patch Commit) issue-tracking

www.vulncheck.com/...etion-path-traversal-directory-deletion third-party-advisory

cve.org (CVE-2026-6940)

nvd.nist.gov (CVE-2026-6940)

Download JSON