CVE-2026-6941
Published: 23 April 2026
Summary
CVE-2026-6941 is a medium-severity Link Following (CWE-59) vulnerability in Radare Radare2. Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely patching of radare2 to version 6.1.4 or later, directly remediating the path traversal vulnerability in project notes handling via symlinked .zrp archives.
Mandates validation of inputs from .zrp archives to detect and block malicious symlinked notes.txt files that enable path traversal outside the project directory.
Enforces logical access controls to mediate file operations, preventing note handling from following symlinks to arbitrary files outside the configured dir.projects root.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exploited via import of malicious .zrp archive (T1204.002 Malicious File) enabling arbitrary file read (T1005 Data from Local System) and overwrite (T1565.001 Stored Data Manipulation) outside project directory.
NVD Description
radare2 prior to 6.1.4 contains a path traversal vulnerability in its project notes handling that allows attackers to read or write files outside the configured project directory by importing a malicious .zrp archive containing a symlinked notes.txt file. Attackers can…
more
craft a .zrp archive with a symlinked notes.txt that bypasses directory confinement checks, allowing note operations to follow the symlink and access arbitrary files outside the dir.projects root directory.
Deeper analysisAI
CVE-2026-6941 is a path traversal vulnerability (CWE-59, CWE-22) in radare2 versions prior to 6.1.4, specifically in the project notes handling feature. The flaw arises when importing a malicious .zrp archive containing a symlinked notes.txt file, which bypasses directory confinement checks in the dir.projects root directory. This allows note operations to follow the symlink, enabling read or write access to arbitrary files outside the configured project directory.
The vulnerability can be exploited by a local attacker with no privileges required (PR:N), though it demands low-complexity actions (AC:L) and user interaction (UI:R) to convince a victim to import the crafted .zrp archive. Successful exploitation yields low confidentiality impact (C:L), high integrity impact (I:H), and low availability impact (A:L), resulting in a CVSS v3.1 base score of 6.6. Attackers can thereby read sensitive files or overwrite arbitrary files outside the project scope.
Mitigation is addressed in radare2 version 6.1.4 and later via patches detailed in the fixing commit at https://github.com/radareorg/radare2/commit/4bcdee725ff0754ed721a98789c0af371c5f32a4 and pull request https://github.com/radareorg/radare2/pull/25831. Further analysis is provided in the VulnCheck advisory at https://www.vulncheck.com/advisories/radare2-project-notes-path-traversal-via-symlink.
Details
- CWE(s)