PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49497 nationalsecurityagency CVE debrief

CVE-2026-49497 is a path traversal vulnerability in Ghidra before 12.1. The vulnerability is located in the SameDirDebugInfoProvider and occurs when the software fails to validate filenames from ELF binary .gnu_debuglink sections before constructing file paths. This allows attackers to craft malicious ELF binaries with traversal sequences to probe filesystem existence and leak CRC32 hashes of arbitrary files during automatic DWARF analysis. The vulnerability has a CVSS score of 4.6 and a severity of MEDIUM.

Vendor
nationalsecurityagency
Product
ghidra
CVSS
MEDIUM 4.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of Ghidra before version 12.1 should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by a lack of validation of filenames from ELF binary .gnu_debuglink sections before constructing file paths in the SameDirDebugInfoProvider. This allows attackers to craft malicious ELF binaries with traversal sequences.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update Ghidra to version 12.1 or later.
  • Use the mitigation or vendor reference: [ref-4](https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-57g6-7qw2-p5hx).
  • Use the mitigation or vendor reference: [ref-5](https://www.vulncheck.com/advisories/ghidra-path-traversal-via-gnu-debuglink-in-dwarf-external-debug-file-resolution).

Evidence notes

The vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-49497) and has a detailed description on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-49497).

Official resources

CVE-2026-49497 was published on 2026-06-10T14:16:34.643Z and modified on 2026-06-11T19:50:28.753Z.