CVE-2026-52752: Ghidra < 12.0.2 - Path Traversal in Extension Installer via ZIP Entry Names

Synopsis

A path traversal vulnerability in Ghidra's extension installer allows an attacker to write arbitrary files outside the intended extraction directory by embedding traversal sequences (such as "../") in ZIP entry filenames. The attack requires local access and victim interaction, as a user must manually install a crafted extension; no authentication or network exposure is needed. Successful exploitation results in arbitrary file writes that enable code execution on the host. A patched-image rebuild at version 12.0.2 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Exploit Conditions

• Network reachabilityNot required

  The attacker needs an existing shell or process on the host; no over-the-network access to the vulnerable component is required.

• AuthenticationNot required

  No account or credentials are needed to supply the malicious extension; the attack rides on the privileges of the user performing the installation.

• Victim interactionRequired

  A local user must actively install the crafted Ghidra extension, making social engineering or supply-chain substitution the delivery mechanism.

• Attack complexityDetail

  Exploit conditions are reliable and free of environmental dependencies; crafting a malicious ZIP with traversal-sequenced entry names requires no race conditions or special memory layout.

Blast Radius

• Attacker writes arbitrary files to any path the running user can reach on disk, including executable locations and configuration directories.
• Arbitrary file writes enable code execution under the identity of the user who installed the extension.
• Integrity of the local Ghidra installation and any co-located tooling or scripts is compromised by overwritten or injected files.