Description
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
Published: 2026-04-23
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Directory Deletion
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows a local attacker to supply an absolute file path that escapes the configured projects directory and causes radare2 to delete arbitrary folders. This path traversal flaw (CWE‑22) results in unintended deletion of files owned by the radare2 process, causing loss of data integrity and service availability.

Affected Systems

radareorg:radare2 for all releases older than 6.1.4. No specific patch version list is provided, but any installation using radare2 before update 6.1.4 is affected.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate to high severity. The EPSS score of less than 1% suggests a very low probability of observed exploitation. The vulnerability is not included in CISA's KEV catalog. The attack vector is local, requiring the attacker to be able to run radare2 or invoke the project deletion operation. No network or remote exploitation path is described.

Generated by OpenCVE AI on April 28, 2026 at 07:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to radare2 version 6.1.4 or later.
  • If upgrading is not immediately feasible, restrict the user permissions of the radare2 process and place the project root in a directory with minimal required access.
  • Disable or remove the project deletion functionality if it is not needed in the environment.
  • Apply the patch from the commit referenced in the GitHub pull request proactively.

Generated by OpenCVE AI on April 28, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Radare
Radare radare2
CPEs cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*
Vendors & Products Radare
Radare radare2

Fri, 24 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
Title radare2 < 6.1.4 Project Deletion Path Traversal Directory Deletion
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Radare Radare2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-24T13:38:15.158Z

Reserved: 2026-04-23T20:00:58.248Z

Link: CVE-2026-6940

cve-icon Vulnrichment

Updated: 2026-04-24T13:38:10.071Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-23T21:16:06.640

Modified: 2026-04-27T14:56:28.570

Link: CVE-2026-6940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T07:30:26Z

Weaknesses