EUVD-2026-36005Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLEIGH library consumers.
AnalysisAI
Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application crash by supplying a crafted binary for decompilation. All Ghidra releases prior to 12.1 are affected, as is any downstream application consuming the SLEIGH library via the public Sleigh::oneInstruction C++ API. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must supply a malicious binary that, when processed by the SLEIGH disassembler, causes PcodeCacher::allocateInstruction to reallocate the issued vector while SleighBuilder::generatePointerAdd holds a live iterator into it - the triggering condition is the specific sequence of P-code instruction allocation that crosses a vector growth boundary. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS v4.0 base score of 6.9 is driven by VA:H (high availability impact - likely a crash) tempered by AV:L (local attack vector), AT:N (no special attack prerequisites), PR:N (no privileges required of the attacker), and UI:P (passive user interaction required - the analyst must open and decompile the malicious binary). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker embeds a crafted binary - designed so that its instruction stream causes PcodeCacher::allocateInstruction to reallocate the issued vector mid-operation - and delivers it to a reverse engineer or an automated malware analysis pipeline running a vulnerable version of Ghidra or a SLEIGH-consuming tool. When the analyst opens the binary and triggers decompilation, the heap-use-after-free fires in SleighBuilder::generatePointerAdd, crashing the Ghidra session or corrupting heap state. … |
| Remediation | Upgrade to Ghidra 12.1 or later; vendor patch is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens
Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking
Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the
Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted bin
Uncontrolled memory allocation in Ghidra's rust_demangle function (versions before 12.0.3) allows a denial-of-service co
Share
External POC / Exploit Code
Leaving vuln.today