CVE-2026-52755 Overview
CVE-2026-52755 is a path traversal vulnerability in Ghidra, the open-source software reverse engineering framework maintained by the National Security Agency. Versions prior to 12.0.4 fail to validate filenames when extracting user-supplied theme ZIP archives. Attackers craft a malicious theme archive containing entries with ../ traversal sequences, causing Ghidra to write files outside the intended theme directory. Successful exploitation allows attackers to overwrite sensitive files such as ~/.bashrc or ~/.ssh/authorized_keys, leading to arbitrary code execution under the analyst's account. The vulnerability is tracked as CWE-22 and represents a classic Zip Slip flaw in a security-sensitive tool widely used across malware analysis and vulnerability research teams.
Critical Impact
A crafted theme ZIP can write arbitrary files to the user's home directory, enabling code execution through shell startup files or SSH key overwrite.
Affected Products
- Ghidra versions prior to 12.0.4
- National Security Agency Ghidra reverse engineering framework
- All operating systems supporting Ghidra (Windows, Linux, macOS)
Discovery Timeline
- 2026-06-10 - CVE-2026-52755 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-52755
Vulnerability Analysis
Ghidra supports importing user-defined themes packaged as ZIP archives. The theme import routine iterates over archive entries and writes each to the configured theme directory. The implementation concatenates entry names directly with the destination path without canonicalizing the resulting path or verifying it remains within the target directory.
An attacker constructs a ZIP archive containing entries whose names include directory traversal sequences. When Ghidra extracts the archive, the traversal sequences resolve outside the theme directory. The process writes attacker-controlled content to arbitrary filesystem locations writable by the user running Ghidra.
Because Ghidra typically runs under an interactive user account, the attacker gains write access to the user's home directory. Overwriting ~/.bashrc, ~/.bash_profile, or ~/.ssh/authorized_keys converts a single file write into persistent code execution or remote access on the next shell login or SSH connection.
Root Cause
The root cause is missing validation of ZIP entry names during theme import, a pattern commonly referred to as Zip Slip. The extraction logic trusts archive metadata and does not enforce that resolved output paths stay within the intended theme directory boundary.
Attack Vector
Exploitation requires local user interaction. The victim must import a malicious theme file supplied by the attacker through phishing, a malicious project share, or a compromised theme distribution channel. No authentication or elevated privileges are required on the Ghidra side. The attack vector is local with user interaction, consistent with the CVSS 4.0 vector for this issue.
Technical details and proof-of-concept information are documented in the GitHub Security Advisory GHSA-3r55-xjr4-jh8f and the VulnCheck Advisory on Ghidra.
Detection Methods for CVE-2026-52755
Indicators of Compromise
- Theme ZIP files containing entries with ../ or ..\ sequences in filenames
- Unexpected modifications to ~/.bashrc, ~/.bash_profile, ~/.profile, or ~/.zshrc on analyst workstations
- New or modified entries in ~/.ssh/authorized_keys not corresponding to legitimate key rotations
- Ghidra process writing files outside its configured theme directory under ~/.config/ghidra/ or equivalent
Detection Strategies
- Inspect ZIP archives prior to import using unzip -l and flag any entry name containing path traversal sequences
- Deploy file integrity monitoring on shell startup files and SSH configuration directories for users running Ghidra
- Audit Ghidra installations across the environment and verify versions are at or above 12.0.4
- Hunt for child processes spawned by shells immediately after a Ghidra session ends, which may indicate .bashrc tampering
Monitoring Recommendations
- Enable endpoint telemetry for file write events targeting dotfiles in user home directories
- Alert on Ghidra binaries creating files outside the standard Ghidra working directories
- Forward shell startup file modification events into the centralized SIEM for correlation across analyst hosts
- Track installation and update activity for Ghidra in software inventory systems
How to Mitigate CVE-2026-52755
Immediate Actions Required
- Upgrade all Ghidra installations to version 12.0.4 or later without delay
- Refrain from importing theme files received from untrusted or unverified sources
- Audit recent theme imports on analyst workstations and inspect dotfiles for unauthorized changes
- Rotate SSH keys for any user whose authorized_keys file shows unexpected modifications
Patch Information
The National Security Agency released Ghidra 12.0.4 containing a fix that validates ZIP entry names and rejects paths resolving outside the theme directory. Refer to the GitHub Security Advisory GHSA-3r55-xjr4-jh8f for the official patch notes and the corrected extraction logic.
Workarounds
- Disable or avoid the theme import functionality until Ghidra is updated to 12.0.4
- Run Ghidra inside a dedicated sandbox or container with no access to sensitive dotfiles or SSH keys
- Manually inspect every theme ZIP archive with unzip -l filename.zip and reject archives containing traversal sequences
- Restrict theme distribution to internal, signed sources reviewed by the security team
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

