Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52752

CVE-2026-52752: Ghidra Path Traversal Vulnerability

CVE-2026-52752 is a path traversal vulnerability in Ghidra's extension installer that allows attackers to write files outside intended directories. This post covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-52752 Overview

CVE-2026-52752 is a path traversal vulnerability [CWE-22] in Ghidra, the open-source software reverse engineering framework maintained by the National Security Agency. The flaw affects Ghidra versions before 12.0.2. The extension installer fails to validate ZIP entry names during extraction. Attackers can craft malicious extension archives containing traversal sequences such as ../ in entry names. Successful exploitation writes arbitrary files outside the intended installation directory and can lead to code execution in the context of the user running Ghidra.

Critical Impact

A crafted Ghidra extension can write files to arbitrary filesystem locations during installation, enabling local code execution on the analyst workstation.

Affected Products

  • Ghidra versions prior to 12.0.2
  • Ghidra extension installer component
  • Reverse engineering workstations running vulnerable Ghidra builds

Discovery Timeline

  • 2026-06-10 - CVE-2026-52752 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-52752

Vulnerability Analysis

The vulnerability resides in Ghidra's extension installer routine. Ghidra distributes extensions as ZIP archives that users install through the application's extension management interface. During installation, the installer iterates over ZIP entries and writes each file to disk. The installer does not validate that resolved output paths remain inside the target extension directory. An attacker can include entries with names like ../../../../home/user/.bashrc or ..\..\Windows\System32\file.dll. When extracted, these entries escape the intended directory and overwrite arbitrary files the user has permission to modify.

This class of flaw is commonly referred to as a Zip Slip vulnerability. Code execution typically follows by overwriting shell startup files, autorun locations, or scripts that the user executes. See the GitHub Security Advisory for vendor details.

Root Cause

The extraction logic concatenates ZIP entry names with the target directory without canonicalizing the resulting path or verifying it stays within the destination root. The installer treats the archive as trusted input and does not reject traversal sequences in entry names.

Attack Vector

Exploitation requires the victim to install a malicious extension. The attacker distributes a crafted .zip extension through forums, third-party mirrors, or social engineering. When the analyst loads the archive through Ghidra's extension installer, embedded traversal entries are written outside the extension directory. The attack vector is local and requires user interaction, but no authentication or elevated privileges are needed. Refer to the VulnCheck Advisory on Ghidra for additional exploitation analysis.

Detection Methods for CVE-2026-52752

Indicators of Compromise

  • Files created outside the configured Ghidra extensions directory shortly after extension installation activity
  • ZIP archives containing entry names with ../ or ..\ sequences
  • Unexpected modifications to user profile files such as .bashrc, .profile, or Windows startup folders following Ghidra use
  • New or modified executables and scripts in directories writable by the Ghidra user

Detection Strategies

  • Inspect ZIP archives before installation by enumerating entry names and flagging traversal sequences
  • Monitor file system events from the Ghidra process for writes outside the expected Extensions subtree
  • Correlate Ghidra process execution with subsequent file creation in sensitive directories
  • Hunt for newly delivered Ghidra extension archives sourced from non-authoritative locations

Monitoring Recommendations

  • Enable endpoint file integrity monitoring on user home directories and shell configuration files on analyst workstations
  • Log process creation events for Ghidra launchers and child processes spawned after extension installation
  • Track outbound connections from Ghidra to validate that loaded extensions match approved sources

How to Mitigate CVE-2026-52752

Immediate Actions Required

  • Upgrade all Ghidra installations to version 12.0.2 or later
  • Audit installed extensions and remove any obtained from untrusted sources
  • Review analyst workstations for files written outside expected extension directories since the last upgrade
  • Restrict extension installation to archives validated by the security team

Patch Information

The National Security Agency addressed CVE-2026-52752 in Ghidra 12.0.2. The fix validates ZIP entry names during extraction and rejects entries that resolve outside the destination directory. Download the patched release from the official Ghidra repository and verify the release signatures before deployment. Reference the GitHub Security Advisory GHSA-jhc2-q7qf-9c25 for vendor guidance.

Workarounds

  • Install only extensions obtained directly from the official Ghidra repository or vetted internal sources
  • Manually inspect extension ZIP contents with unzip -l before installation and reject archives with traversal sequences
  • Run Ghidra under a low-privilege user account isolated from sensitive files
  • Execute Ghidra inside a sandbox or container to contain unauthorized file writes
bash
# Inspect a Ghidra extension archive for traversal entries before installation
unzip -l suspicious-extension.zip | grep -E '\.\./|\.\.\\\\'

# Verify installed Ghidra version
ghidraRun --version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.