Skip to main content

Ghidra EUVD-2026-36016

| CVE-2026-52757 MEDIUM
Use After Free (CWE-416)
2026-06-10 VulnCheck
Use After Free Information Disclosure Memory Corruption Ghidra
4.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
4.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 15:01 EUVD
Analysis Generated
Jun 10, 2026 - 14:30 vuln.today
CVSS changed
Jun 10, 2026 - 14:22 NVD
4.4 (MEDIUM) 4.6 (MEDIUM)

DescriptionCVE.org

Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, reading and writing the flags field of freed heap memory when a user opens the binary in Ghidra's decompiler view.

AnalysisAI

Heap-use-after-free corruption in Ghidra's decompiler before version 12.1 allows a local attacker - or any actor who can deliver a crafted binary to a target analyst - to corrupt freed heap memory when the victim opens the file in the decompiler view. The vulnerability resides in HighVariable::merge() during the variable merging pass, where stale pointers in the HighIntersectTest::highedgemap cache are dereferenced against freed memory, producing low-impact integrity and availability effects on the Ghidra process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft binary triggering highedgemap stale pointer
Delivery
Deliver binary to target analyst (phishing, repo, crackme)
Exploit
Victim opens binary in Ghidra decompiler view
Install
HighVariable::merge() processes crafted variable structure
C2
Stale pointer in highedgemap cache dereferenced
Execute
Freed heap memory flags field read/written
Impact
Ghidra process crash or heap corruption
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The CVSS 4.0 vector AV:L/UI:A establishes two mandatory prerequisites: (1) the attacker must deliver a specially crafted binary to the victim's local filesystem or accessible path - remote unauthenticated network exploitation is not possible per the local attack vector; and (2) the victim must actively open the crafted binary in Ghidra and cause the decompiler view to be invoked, which triggers the HighVariable::merge() variable merging pass. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.6 (Medium) is consistent with the constrained impact profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor targeting security researchers crafts a malicious binary - packaged as a crackme challenge, a shared malware sample, or a file delivered via phishing - designed to trigger the stale-pointer dereference in HighIntersectTest::highedgemap during decompilation. When an analyst opens the binary in an unpatched Ghidra instance and navigates to the decompiler view, the HighVariable::merge() function processes the crafted variable structure, dereferences the freed heap pointer, and reads or writes the flags field of the freed object, at minimum crashing the Ghidra process and potentially enabling further memory corruption primitives depending on heap layout. …
Remediation Upgrade to Ghidra 12.1 or later, which resolves the heap-use-after-free in HighVariable::merge() per the vendor advisory at https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-8jqp-qv73-395r. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-52751 HIGH
8.6 Jun 10

Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens
CVE-2026-52752 HIGH
8.4 Jun 10

Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking
CVE-2026-52755 HIGH
8.4 Jun 10

Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the

CVE-2026-49496 MEDIUM
6.9 Jun 10

Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application

CVE-2026-49495 MEDIUM
6.7 Jun 10

Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted bin

Share

EUVD-2026-36016 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy