CVE-2026-6940
Published: 23 April 2026
Summary
CVE-2026-6940 is a high-severity Path Traversal (CWE-22) vulnerability in Radare Radare2. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching to radare2 6.1.4 or later, which fixes the path traversal in project deletion.
Requires validation of supplied project paths to ensure they do not escape the configured dir.projects root directory, preventing traversal attacks.
Enforces least privilege on the radare2 process to limit the directories it can access and delete, reducing the integrity and availability impact of exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in project deletion directly enables recursive arbitrary directory deletion, mapping to data destruction with high integrity/availability impact.
NVD Description
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker…
more
files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
Deeper analysisAI
CVE-2026-6940 is a path traversal vulnerability (CWE-22) affecting radare2 versions prior to 6.1.4, specifically in the project deletion functionality. The flaw enables attackers to supply absolute paths that escape the configured dir.projects root directory, leading to recursive deletion of arbitrary directories. This issue arises when attackers craft paths to project marker files outside the intended project storage boundary, exploiting the deletion mechanism to target attacker-chosen locations with the permissions of the radare2 process.
Local attackers can exploit this vulnerability with low complexity and no privileges required (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H, score 7.1), though it requires user interaction, such as convincing a user to delete a maliciously crafted project. Successful exploitation results in high integrity and availability impacts, allowing recursive deletion of directories, but no confidentiality loss.
Mitigation is available through a patch in radare2 pull request 25830 on GitHub, which addresses the path traversal in project deletion. VulnCheck has published an advisory detailing the vulnerability and recommending upgrade to radare2 6.1.4 or later to prevent arbitrary directory deletion.
Details
- CWE(s)