📄 Description (English)
radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss.
🤖 AI Executive Summary
CVE-2026-6940 is a critical path traversal vulnerability in radare2 versions prior to 6.1.4 that allows local attackers to recursively delete arbitrary directories by exploiting improper input validation in project deletion functionality. Attackers can craft absolute paths to escape the configured project root directory and delete sensitive files with the privileges of the radare2 process. With an available exploit and no patch currently available, this poses an immediate threat to organizations using radare2 for reverse engineering and security analysis.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 9, 2026 07:08
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi government cybersecurity agencies (NCA), financial institutions conducting security research, and telecommunications companies (STC) that utilize radare2 for malware analysis and reverse engineering. The vulnerability is particularly concerning for ARAMCO and critical infrastructure operators who rely on radare2 for security assessments. Local attackers with access to systems running radare2 could delete critical system files, security logs, or research data, causing significant operational disruption and compliance violations under NCA ECC 2024 and SAMA CSF frameworks.
🏢 Affected Saudi Sectors
Government (NCA, security agencies)
Banking and Financial Services
Telecommunications (STC)
Energy and Oil & Gas (ARAMCO)
Critical Infrastructure
Cybersecurity Research Organizations
Defense and Military
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all systems running radare2 versions prior to 6.1.4 across your organization
2. Restrict local access to systems running vulnerable radare2 instances using principle of least privilege
3. Implement file system monitoring on project directories to detect unauthorized deletion attempts
4. Review access logs for any suspicious project deletion activities
Patching Guidance:
1. Upgrade radare2 to version 6.1.4 or later when available
2. Until patching is possible, disable radare2 project deletion functionality if not critical to operations
3. Run radare2 processes with minimal required privileges (non-root user accounts)
Compensating Controls:
1. Implement strict file system permissions on radare2 project directories (chmod 750 or more restrictive)
2. Use AppArmor or SELinux profiles to restrict radare2 process capabilities
3. Enable file integrity monitoring (FIM) tools like AIDE or Tripwire on critical directories
4. Implement directory-level access controls and audit logging
5. Use containerization (Docker/Kubernetes) with read-only root filesystems where possible
Detection Rules:
1. Monitor for recursive directory deletion operations initiated by radare2 processes
2. Alert on any radare2 process attempting to access paths outside configured project directories
3. Track failed and successful deletion attempts on system-critical directories
4. Monitor for unusual file descriptor operations or system calls (unlinkat, rmdir) from radare2
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تقوم بتشغيل إصدارات radare2 السابقة للإصدار 6.1.4 عبر مؤسستك
2. تقييد الوصول المحلي إلى الأنظمة التي تقوم بتشغيل مثيلات radare2 الضعيفة باستخدام مبدأ أقل امتياز
3. تنفيذ مراقبة نظام الملفات على مجلدات المشروع للكشف عن محاولات الحذف غير المصرح بها
4. مراجعة سجلات الوصول لأي أنشطة حذف مشروع مريبة
إرشادات التصحيح:
1. ترقية radare2 إلى الإصدار 6.1.4 أو أحدث عند توفره
2. حتى يكون التصحيح ممكناً، قم بتعطيل وظيفة حذف مشروع radare2 إذا لم تكن حرجة للعمليات
3. تشغيل عمليات radare2 بأقل امتيازات مطلوبة (حسابات المستخدمين غير الجذر)
الضوابط التعويضية:
1. تنفيذ أذونات نظام الملفات الصارمة على مجلدات مشروع radare2 (chmod 750 أو أكثر تقييداً)
2. استخدام ملفات تعريف AppArmor أو SELinux لتقييد قدرات عملية radare2
3. تمكين أدوات مراقبة سلامة الملفات (FIM) مثل AIDE أو Tripwire على المجلدات الحرجة
4. تنفيذ عناصر تحكم الوصول على مستوى المجلد وتسجيل التدقيق
5. استخدام الحاويات (Docker/Kubernetes) مع أنظمة الملفات الجذرية للقراءة فقط حيث أمكن
قواعد الكشف:
1. مراقبة عمليات حذف المجلدات المتكررة التي تبدأها عمليات radare2
2. التنبيه على أي عملية radare2 تحاول الوصول إلى المسارات خارج مجلدات المشروع المكونة
3. تتبع محاولات الحذف الفاشلة والناجحة على المجلدات الحرجة للنظام
4. مراقبة عمليات وصف الملفات غير العادية أو استدعاءات النظام (unlinkat, rmdir) من radare2
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies (access control and privilege management)
A.8.1.1 - User Access Management (least privilege principle)
A.8.2.1 - User Responsibility (secure use of assets)
A.12.4.1 - Event Logging (detection and monitoring of unauthorized activities)
A.12.6.1 - Management of Technical Vulnerabilities (patch management)
🔵 SAMA CSF
ID.AM-2 - Asset Management (inventory of software and systems)
PR.AC-1 - Access Control (least privilege implementation)
PR.PT-2 - Protective Technology (file integrity monitoring)
DE.CM-1 - Detection and Analysis (continuous monitoring)
RS.MI-2 - Incident Response (containment and recovery)
🟡 ISO 27001:2022
A.5.1.1 - Information security policies
A.6.1.1 - Information security roles and responsibilities
A.8.1.1 - User registration and de-registration
A.8.2.1 - User access provisioning
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
🔗 References & Sources 3
🔗
https://github.com/radareorg/radare2/pull/25830
disclosure@vulncheck.com
Exploit
Issue Tracking
Third Party Advisory
🔗
https://github.com/radareorg/radare2/pull/25830/commits
disclosure@vulncheck.com
Issue Tracking
Patch
🔗
https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-...
disclosure@vulncheck.com
Third Party Advisory
📦 Affected Products / CPE 1 entries
radare:radare2