Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52755

CVE-2026-52755: Ghidra Path Traversal Vulnerability

CVE-2026-52755 is a path traversal flaw in Ghidra's theme import feature that enables attackers to write files outside intended directories. This post covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-52755 Overview

CVE-2026-52755 is a path traversal vulnerability in Ghidra, the open-source software reverse engineering framework maintained by the National Security Agency. Versions prior to 12.0.4 fail to validate filenames when extracting user-supplied theme ZIP archives. Attackers craft a malicious theme archive containing entries with ../ traversal sequences, causing Ghidra to write files outside the intended theme directory. Successful exploitation allows attackers to overwrite sensitive files such as ~/.bashrc or ~/.ssh/authorized_keys, leading to arbitrary code execution under the analyst's account. The vulnerability is tracked as CWE-22 and represents a classic Zip Slip flaw in a security-sensitive tool widely used across malware analysis and vulnerability research teams.

Critical Impact

A crafted theme ZIP can write arbitrary files to the user's home directory, enabling code execution through shell startup files or SSH key overwrite.

Affected Products

  • Ghidra versions prior to 12.0.4
  • National Security Agency Ghidra reverse engineering framework
  • All operating systems supporting Ghidra (Windows, Linux, macOS)

Discovery Timeline

  • 2026-06-10 - CVE-2026-52755 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-52755

Vulnerability Analysis

Ghidra supports importing user-defined themes packaged as ZIP archives. The theme import routine iterates over archive entries and writes each to the configured theme directory. The implementation concatenates entry names directly with the destination path without canonicalizing the resulting path or verifying it remains within the target directory.

An attacker constructs a ZIP archive containing entries whose names include directory traversal sequences. When Ghidra extracts the archive, the traversal sequences resolve outside the theme directory. The process writes attacker-controlled content to arbitrary filesystem locations writable by the user running Ghidra.

Because Ghidra typically runs under an interactive user account, the attacker gains write access to the user's home directory. Overwriting ~/.bashrc, ~/.bash_profile, or ~/.ssh/authorized_keys converts a single file write into persistent code execution or remote access on the next shell login or SSH connection.

Root Cause

The root cause is missing validation of ZIP entry names during theme import, a pattern commonly referred to as Zip Slip. The extraction logic trusts archive metadata and does not enforce that resolved output paths stay within the intended theme directory boundary.

Attack Vector

Exploitation requires local user interaction. The victim must import a malicious theme file supplied by the attacker through phishing, a malicious project share, or a compromised theme distribution channel. No authentication or elevated privileges are required on the Ghidra side. The attack vector is local with user interaction, consistent with the CVSS 4.0 vector for this issue.

Technical details and proof-of-concept information are documented in the GitHub Security Advisory GHSA-3r55-xjr4-jh8f and the VulnCheck Advisory on Ghidra.

Detection Methods for CVE-2026-52755

Indicators of Compromise

  • Theme ZIP files containing entries with ../ or ..\ sequences in filenames
  • Unexpected modifications to ~/.bashrc, ~/.bash_profile, ~/.profile, or ~/.zshrc on analyst workstations
  • New or modified entries in ~/.ssh/authorized_keys not corresponding to legitimate key rotations
  • Ghidra process writing files outside its configured theme directory under ~/.config/ghidra/ or equivalent

Detection Strategies

  • Inspect ZIP archives prior to import using unzip -l and flag any entry name containing path traversal sequences
  • Deploy file integrity monitoring on shell startup files and SSH configuration directories for users running Ghidra
  • Audit Ghidra installations across the environment and verify versions are at or above 12.0.4
  • Hunt for child processes spawned by shells immediately after a Ghidra session ends, which may indicate .bashrc tampering

Monitoring Recommendations

  • Enable endpoint telemetry for file write events targeting dotfiles in user home directories
  • Alert on Ghidra binaries creating files outside the standard Ghidra working directories
  • Forward shell startup file modification events into the centralized SIEM for correlation across analyst hosts
  • Track installation and update activity for Ghidra in software inventory systems

How to Mitigate CVE-2026-52755

Immediate Actions Required

  • Upgrade all Ghidra installations to version 12.0.4 or later without delay
  • Refrain from importing theme files received from untrusted or unverified sources
  • Audit recent theme imports on analyst workstations and inspect dotfiles for unauthorized changes
  • Rotate SSH keys for any user whose authorized_keys file shows unexpected modifications

Patch Information

The National Security Agency released Ghidra 12.0.4 containing a fix that validates ZIP entry names and rejects paths resolving outside the theme directory. Refer to the GitHub Security Advisory GHSA-3r55-xjr4-jh8f for the official patch notes and the corrected extraction logic.

Workarounds

  • Disable or avoid the theme import functionality until Ghidra is updated to 12.0.4
  • Run Ghidra inside a dedicated sandbox or container with no access to sensitive dotfiles or SSH keys
  • Manually inspect every theme ZIP archive with unzip -l filename.zip and reject archives containing traversal sequences
  • Restrict theme distribution to internal, signed sources reviewed by the security team

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.