CVE-2026-49497 Overview
CVE-2026-49497 is a path traversal vulnerability [CWE-22] in Ghidra versions prior to 12.1. The flaw resides in the SameDirDebugInfoProvider component, which fails to validate filenames extracted from the .gnu_debuglink section of ELF binaries before constructing file paths. An attacker can craft a malicious ELF binary with traversal sequences in the debug link filename. When an analyst opens the binary, Ghidra's automatic DWARF analysis triggers filesystem probing and CRC32 hash leakage of arbitrary files accessible to the analyst's user account.
Critical Impact
Crafted ELF binaries can cause Ghidra to probe arbitrary filesystem paths and leak CRC32 hashes of files outside the project directory during automatic DWARF analysis.
Affected Products
- Ghidra versions prior to 12.1
- National Security Agency (NSA) Ghidra software reverse engineering framework
- Installations performing automatic DWARF analysis on untrusted ELF binaries
Discovery Timeline
- 2026-06-10 - CVE-2026-49497 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-49497
Vulnerability Analysis
The vulnerability exists in Ghidra's DWARF external debug file resolution logic. When Ghidra loads an ELF binary, it parses the .gnu_debuglink section to locate companion debug information files. The SameDirDebugInfoProvider class uses the filename string from this section to construct a path in the same directory as the loaded binary.
The provider does not sanitize the filename or strip directory separators before path construction. An attacker can embed sequences such as ../../../etc/passwd inside the debug link field. Ghidra then attempts to access the resolved path and computes a CRC32 checksum to validate the debug file match.
The checksum computation provides the leak primitive. File existence can be confirmed through error path differences, and CRC32 values of readable files are returned during the validation step.
Root Cause
The root cause is missing input validation on attacker-controlled data parsed from a binary file format. The .gnu_debuglink section is treated as trusted metadata rather than untrusted input requiring sanitization. No check enforces that the resulting path remains within the intended directory.
Attack Vector
Exploitation requires an analyst to open a crafted ELF binary in Ghidra with auto-analysis enabled. The attack vector is local and requires user interaction. The vulnerability does not yield code execution but enables information disclosure of file existence and CRC32 fingerprints across the filesystem reachable by the Ghidra process.
Detailed exploitation mechanics are described in the GitHub Security Advisory and the VulnCheck Advisory on Ghidra.
Detection Methods for CVE-2026-49497
Indicators of Compromise
- ELF binaries containing .gnu_debuglink section entries with directory traversal sequences such as ../ or absolute paths
- Ghidra analysis logs showing file access attempts outside the project directory during DWARF processing
- Unexpected filesystem read operations originating from the Ghidra JVM process during binary import
Detection Strategies
- Inspect submitted ELF samples with readelf --string-dump=.gnu_debuglink before opening in Ghidra to flag traversal patterns
- Audit Ghidra analysis logs for SameDirDebugInfoProvider entries referencing paths containing .. separators
- Monitor host process telemetry for Ghidra accessing files outside expected project and installation directories
Monitoring Recommendations
- Enable file access auditing on analyst workstations running Ghidra to record paths touched by the JVM process
- Forward analyst endpoint telemetry to a centralized log platform and alert on Ghidra accessing sensitive locations such as /etc, ~/.ssh, or credential stores
- Track Ghidra version inventory across reverse engineering teams to confirm patched builds are deployed
How to Mitigate CVE-2026-49497
Immediate Actions Required
- Upgrade Ghidra to version 12.1 or later on all analyst workstations
- Disable automatic DWARF analysis when triaging untrusted ELF binaries until upgrade is complete
- Analyze suspicious binaries inside isolated virtual machines or containers with no access to sensitive host paths
Patch Information
The vulnerability is fixed in Ghidra 12.1. The patch adds validation in SameDirDebugInfoProvider to reject filenames containing path separators or traversal sequences before constructing the lookup path. Refer to the GitHub Security Advisory GHSA-57g6-7qw2-p5hx for the official fix details.
Workarounds
- Disable the DWARF analyzer in the Ghidra Auto Analysis options dialog before importing untrusted ELF binaries
- Run Ghidra under a dedicated low-privilege user account with read access restricted to project directories only
- Pre-screen ELF binaries with a script that extracts and validates the .gnu_debuglink filename field before analyst handoff
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

