CVE-2026-6940

radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/radareorg/radare2/pull/25830	Exploit Issue Tracking Third Party Advisory
https://github.com/radareorg/radare2/pull/25830/commits	Issue Tracking Patch
https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletion	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*

History

27 Apr 2026, 14:56

Type	Values Removed	Values Added
References	~~() https://github.com/radareorg/radare2/pull/25830 -~~	() https://github.com/radareorg/radare2/pull/25830 - Exploit, Issue Tracking, Third Party Advisory
References	~~() https://github.com/radareorg/radare2/pull/25830/commits -~~	() https://github.com/radareorg/radare2/pull/25830/commits - Issue Tracking, Patch
References	~~() https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletion -~~	() https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletion - Third Party Advisory
First Time		Radare Radare radare2
CPE		cpe:2.3:a:radare:radare2::::::::

23 Apr 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-23 21:16

Updated : 2026-04-27 14:56

NVD link : CVE-2026-6940

Mitre link : CVE-2026-6940

CVE.ORG link : CVE-2026-6940

JSON object : View

Products Affected

radare

radare2

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-6940", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 1.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-04-23T21:16:06.640", "references": [{"url": "https://github.com/radareorg/radare2/pull/25830", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/radareorg/radare2/pull/25830/commits", "tags": ["Issue Tracking", "Patch"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletion", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss."}], "lastModified": "2026-04-27T14:56:28.570", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEDC34E8-8476-44C6-A73A-D9CF18F12844", "versionEndExcluding": "6.1.4"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}