Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-6940
7.1 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): High (H)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): High (H)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
radare2 < 6.1.4 Project Deletion Path Traversal Directory Deletion
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
References
-
-
Patch Commit issue-tracking
-
https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-di… third-party-advisory
Affected products
radare2
- <6.1.4
- <e5fcf56fe038760c872c6dbed432602778fde1ed git
Package maintainers
-
@arkivm Vikram Narayanan <vikram186@gmail.com>
-
@azahi Azat Bahawi <azat@bahawi.net>
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>
-
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
-
@makefu Felix Richter <makefu@syntax-fehler.de>