Skip to main content

Ghidra CVE-2026-4946

| EUVD-2026-17042 HIGH
OS Command Injection (CWE-78)
2026-03-29 AHA
Command Injection Ghidra
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:11 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
12.0.3
EUVD ID Assigned
Mar 29, 2026 - 19:45 euvd
EUVD-2026-17042
Analysis Generated
Mar 29, 2026 - 19:45 vuln.today
CVE Published
Mar 29, 2026 - 19:35 nvd
HIGH 8.8

DescriptionCVE.org

Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine.

AnalysisAI

Command injection in NSA Ghidra (versions before 12.0.3) executes arbitrary commands when analysts click on maliciously crafted binary comments. Attackers embed @execute annotation directives in binary data (e.g., CFStrings in Mach-O files) that Ghidra auto-extracts and renders as clickable UI elements, bypassing the intended trust boundary for user-authored annotations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious binary with @execute annotation in CFString
Delivery
Distribute binary to analyst
Exploit
Analyst opens binary in Ghidra UI
Execution
Click on generated comment text
Impact
Execute arbitrary commands on analyst machine
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Victim must open a crafted binary (e.g., Mach-O executable containing malicious CFStrings) in Ghidra versions prior to 12.0.3 and click on the attacker-injected @execute annotation text in the UI. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is HIGH for targeted supply-chain or watering-hole attacks against reverse engineers and malware analysts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An APT group targeting cybersecurity researchers embeds @execute directives with reverse shell payloads inside CFString constants of a Mach-O malware sample, then shares the binary on Twitter as a novel macOS threat for community analysis. A malware analyst downloads the sample, opens it in Ghidra 12.0.2, and auto-analysis extracts the weaponized strings into clickable UI comments. …
Remediation Upgrade to Ghidra version 12.0.3 or later immediately, as confirmed by the NSA GitHub security advisory at https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-mc3p-mq2p-xw6v. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Ghidra installations in your environment and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-52751 HIGH
8.6 Jun 10

Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens
CVE-2026-52752 HIGH
8.4 Jun 10

Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking
CVE-2026-52755 HIGH
8.4 Jun 10

Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the

CVE-2026-49496 MEDIUM
6.9 Jun 10

Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application

CVE-2026-49495 MEDIUM
6.7 Jun 10

Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted bin

Share

CVE-2026-4946 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy