CVE-2026-6941

EUVD-2026-25302

23.04.2026, 21:16

radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.

Link Following

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.6 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

radare2

sid	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

radare2

bionic	needs-triage
focal	needs-triage
jammy	dne
noble	needs-triage
questing	needs-triage
resolute	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-59 - Improper Link Resolution Before File Access ('Link Following')
The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

References

https://github.com/radareorg/radare2/commit/4bcdee725ff0754ed721a98789c0af371c5f32a4

https://github.com/radareorg/radare2/pull/25831

https://www.vulncheck.com/advisories/radare2-project-notes-path-traversal-via-symlink