Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52756

CVE-2026-52756: Ghidra Path Traversal Vulnerability

CVE-2026-52756 is a path traversal flaw in Ghidra's IsfServer that allows remote attackers to enumerate filesystem paths via port 54321. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-52756 Overview

CVE-2026-52756 is an unauthenticated path traversal vulnerability [CWE-22] in Ghidra versions before 12.2. The flaw resides in the Instrumentation Server Framework (ISF) component of the Ghidra debugger. The IsfServer accepts TCP connections on port 54321 and passes client-supplied namespace strings directly to filesystem operations without validation. Remote attackers can connect to the exposed port and send crafted protobuf messages containing traversal sequences to enumerate filesystem paths and probe arbitrary files on the host running Ghidra.

Critical Impact

Unauthenticated network attackers can probe and enumerate arbitrary filesystem paths on systems running vulnerable Ghidra ISF Server instances, leading to information disclosure.

Affected Products

  • Ghidra versions prior to 12.2
  • Ghidra Debugger ISF Server component
  • Systems exposing TCP port 54321 running affected Ghidra versions

Discovery Timeline

  • 2026-06-10 - CVE-2026-52756 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-52756

Vulnerability Analysis

The vulnerability exists in the IsfServer component of Ghidra, the reverse engineering framework maintained by the National Security Agency (NSA). The IsfServer exposes a TCP listener on port 54321 that accepts protobuf-encoded messages from remote clients. Client-supplied namespace strings within these messages are passed directly to filesystem operations without any sanitization or validation.

This design allows an attacker to inject directory traversal sequences such as ../ into namespace fields. The server then resolves these sequences against the local filesystem, enabling enumeration of paths outside the intended scope. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).

The attack requires no authentication and can be performed over the network. Successful exploitation leaks information about the host filesystem layout and confirms the presence or absence of specific files.

Root Cause

The root cause is the absence of input validation on namespace strings received over the protobuf protocol. The IsfServer trusts client-supplied path components and concatenates them with server-side base paths before invoking filesystem APIs. No canonicalization or allowlist enforcement is applied, allowing parent directory references to escape the intended namespace boundary.

Attack Vector

An unauthenticated remote attacker establishes a TCP connection to port 54321 on a host running Ghidra with the ISF Server enabled. The attacker constructs a protobuf message that embeds traversal sequences within the namespace field. Upon receipt, the server resolves the traversed path and returns information indicating whether the targeted filesystem object exists, enabling iterative enumeration of arbitrary paths.

The vulnerability mechanism is documented in the GitHub Security Advisory GHSA-8pr2-46mf-v2r2 and the VulnCheck Advisory on Ghidra Vulnerability. Refer to those sources for protocol-level technical details.

Detection Methods for CVE-2026-52756

Indicators of Compromise

  • Inbound TCP connections to port 54321 from unexpected or external sources on hosts running Ghidra
  • Protobuf-formatted traffic containing path traversal sequences such as ../ or encoded variants in namespace fields
  • Unusual filesystem access patterns originating from Ghidra processes, particularly reads outside the project workspace directory
  • Repeated short-lived TCP sessions to the IsfServer port consistent with path enumeration

Detection Strategies

  • Monitor network flows for connections to TCP port 54321 and alert on sources outside the trusted analyst workstation range
  • Deploy network IDS signatures that inspect protobuf payloads to the ISF Server port for traversal sequences
  • Audit Ghidra process file descriptors to identify access to paths outside the configured project directory

Monitoring Recommendations

  • Log all TCP listeners bound to port 54321 across the environment and correlate against Ghidra installations
  • Capture and retain network packet metadata for ISF Server traffic to support retrospective investigation
  • Alert on Ghidra processes spawned with debugger ISF Server flags on hosts not designated for reverse engineering work

How to Mitigate CVE-2026-52756

Immediate Actions Required

  • Upgrade Ghidra to version 12.2 or later, which contains the fix for the IsfServer input validation flaw
  • Identify all hosts running Ghidra and confirm whether the debugger ISF Server is enabled
  • Restrict inbound access to TCP port 54321 to localhost or trusted management subnets only
  • Disable the IsfServer feature on installations that do not require remote debugger interaction

Patch Information

The vulnerability is resolved in Ghidra 12.2. The National Security Agency, which maintains Ghidra, has published the fix and advisory at the GitHub Security Advisory GHSA-8pr2-46mf-v2r2. Administrators should download the updated release from the official Ghidra GitHub repository and replace existing installations.

Workarounds

  • Bind the IsfServer listener to the loopback interface 127.0.0.1 rather than 0.0.0.0 to prevent remote access
  • Apply host-based firewall rules to block external connections to TCP port 54321
  • Run Ghidra under a dedicated low-privilege user account with restricted filesystem permissions to limit information exposed by traversal
  • Operate Ghidra inside an isolated network segment or virtual machine when handling untrusted samples
bash
# Restrict ISF Server port to localhost using iptables
iptables -A INPUT -p tcp --dport 54321 ! -s 127.0.0.1 -j DROP

# Verify no external listeners on the ISF Server port
ss -tlnp | grep 54321

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.