Skip to main content

Ghidra CVE-2026-52751

| EUVD-2026-36009 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-10 VulnCheck
RCE Deserialization Ghidra
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 10, 2026 - 14:36 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 14:35 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 10, 2026 - 14:22 NVD
8.8 (HIGH) 8.6 (HIGH)
Source Code Evidence Fetched
Jun 10, 2026 - 14:04 vuln.today
Analysis Generated
Jun 10, 2026 - 14:04 vuln.today

DescriptionCVE.org

Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes untrusted objects using a Jython 2.7.4 gadget chain to execute arbitrary commands.

AnalysisAI

Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens a malicious shared-project file containing a ghidra:// URL, triggering unsafe Java deserialization in the client-side Shared-Project RMI connection code. Exploitation leverages a Jython 2.7.4 gadget chain and requires only user interaction (opening the crafted project), with no authentication needed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Ghidra user target
Delivery
Deliver malicious project file or ghidra:// URL
Exploit
Victim opens via File
Install
Open Project
C2
RMI client deserializes payload
Execute
Jython gadget chain executes commands
Impact
Code execution as analyst user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The victim must open a malicious project file or follow a ghidra:// URL via File → Open Project in a Ghidra version before 12.1 - this triggers the client-side Shared-Project RMI deserialization path; the Jython 2.7.4 interpreter that supplies the gadget chain is bundled with Ghidra so no additional configuration is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H) yields 8.6 and reflects a network-reachable, low-complexity, unauthenticated bug whose only friction is active user interaction - a Ghidra analyst must open the malicious project file. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a malware analyst sends a phishing email with a Ghidra project file purporting to contain a sample worth investigating, or hosts a ghidra:// link on a researcher-themed site. When the analyst chooses File → Open Project and selects the crafted file, the client-side RMI code deserializes attacker-controlled objects through a Jython 2.7.4 gadget chain and executes arbitrary commands as the analyst's user, granting a foothold on a workstation that typically holds sensitive samples, internal tooling, and source code.
Remediation Vendor-released patch: upgrade to Ghidra 12.1 or later, which is available from the NationalSecurityAgency/ghidra GitHub releases and is referenced by the GitHub Security Advisory at https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-fgg5-g275-7742 and fixing commit 91a269103fe5d133c14ec3afa60280dccb94be5c. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Ghidra installations and document current version numbers across development and security teams. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-52752 HIGH
8.4 Jun 10

Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking
CVE-2026-52755 HIGH
8.4 Jun 10

Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the

CVE-2026-49496 MEDIUM
6.9 Jun 10

Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application

CVE-2026-49495 MEDIUM
6.7 Jun 10

Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted bin
CVE-2026-52753 MEDIUM
6.7 Jun 10

Uncontrolled memory allocation in Ghidra's rust_demangle function (versions before 12.0.3) allows a denial-of-service co

Share

CVE-2026-52751 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy