Vulnerability Description
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Radare | Radare2 | < 6.1.4 |
Related Weaknesses (CWE)
References
- https://github.com/radareorg/radare2/pull/25830ExploitIssue TrackingThird Party Advisory
- https://github.com/radareorg/radare2/pull/25830/commitsIssue TrackingPatch
- https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-dirThird Party Advisory
FAQ
What is CVE-2026-6940?
CVE-2026-6940 is a vulnerability with a CVSS score of 7.1 (HIGH). radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the c...
How severe is CVE-2026-6940?
CVE-2026-6940 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-6940?
Check the references section above for vendor advisories and patch information. Affected products include: Radare Radare2.