Home

Description

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.

PUBLISHED Reserved 2026-04-23 | Published 2026-04-23 | Updated 2026-04-24 | Assigner VulnCheck




MEDIUM: 6.9CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

MEDIUM: 6.6CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Problem types

CWE-59: Improper Link Resolution Before File Access ('Link Following')

Product status

Default status
unaffected

Any version before 4bcdee725ff0754ed721a98789c0af371c5f32a4
unaffected

Any version before 6.1.4
affected

Credits

Chia Min Jun Lennon finder

References

github.com/radareorg/radare2/pull/25831 (Pull Request) technical-description exploit

github.com/...ommit/4bcdee725ff0754ed721a98789c0af371c5f32a4 (Patch Commit) issue-tracking

www.vulncheck.com/...roject-notes-path-traversal-via-symlink third-party-advisory

cve.org (CVE-2026-6941)

nvd.nist.gov (CVE-2026-6941)

Download JSON