The vulnerability resides in Ghidra versions prior to 12.1. The SameDirDebugInfoProvider component fails to validate filenames extracted from ELF binary .gnu_debuglink sections, allowing a crafted ELF binary to introduce traversal sequences. When Ghidra automatically resolves DWARF external debug files, it concatenates the untrusted filename with a directory path, enabling path traversal. As a result, an attacker can probe the file system to discover the existence of files and leak CRC32 hashes of arbitrary files without needing direct file read permissions. The weakness is classified as CWE-22, leading to information‑disclosure risk.

The affected product is Ghidra from the National Security Agency. Any deployment of Ghidra 12.0 or earlier is vulnerable. No sub‑version range is provided beyond the <12.1 threshold. The attack requires that the malicious ELF binary be processed by Ghidra, so the exploit surface is limited to systems where analysis of user‑supplied binaries is performed.

The CVSS score of 4.6 indicates a moderate impact, and the EPSS score is currently unavailable, suggesting no active exploitation data. Being absent from KEV also points to low immediate risk. The likely attack vector involves local or remote binaries that are fed to Ghidra’s DWARF analysis; therefore, any system that automatically processes potentially untrusted ELF files is at risk. Mitigation hinges on ensuring that the vulnerability is patched or that Ghidra is configured to avoid resolving external debug info from untrusted sources.