Ghidra
Monthly
Uncontrolled heap memory allocation in Ghidra's Mach-O binary parser (versions before 12.1.1) allows denial of service by crashing the Ghidra JVM. The parser reads the `ncmds` load command count field directly from a Mach-O file header and uses it to drive heap allocation without cross-validating it against the actual file size, enabling a crafted binary to exhaust JVM memory. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, though the attack primitive is straightforward to reproduce from the description.
Heap-use-after-free corruption in Ghidra's decompiler before version 12.1 allows a local attacker - or any actor who can deliver a crafted binary to a target analyst - to corrupt freed heap memory when the victim opens the file in the decompiler view. The vulnerability resides in HighVariable::merge() during the variable merging pass, where stale pointers in the HighIntersectTest::highedgemap cache are dereferenced against freed memory, producing low-impact integrity and availability effects on the Ghidra process. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the tool's user base of security researchers who routinely open untrusted binaries elevates the practical threat profile.
Path traversal in Ghidra's IsfServer component (all versions before 12.2) allows remote unauthenticated attackers to enumerate filesystem paths and probe arbitrary files by connecting to TCP port 54321 and sending crafted protobuf messages. The root cause is unsanitized client-supplied namespace strings passed directly to filesystem operations, a CWE-22 defect. Given Ghidra's deployment context - security research, malware analysis, and reverse engineering of sensitive artifacts, often in high-value government and defense environments - successful exploitation could expose directory structures and sensitive file metadata on the analyst's workstation. No public exploit code has been identified and this vulnerability is not in CISA KEV at time of analysis.
Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the theme directory via Zip Slip path traversal sequences in malicious theme ZIP archives, leading to code execution or credential compromise. The flaw requires user interaction (importing the booby-trapped theme) and is exploited locally against the user running Ghidra. No public exploit identified at time of analysis, though the technique (Zip Slip) is well-documented and trivially reproducible.
Uncontrolled memory allocation in Ghidra's rust_demangle function (versions before 12.0.3) allows a denial-of-service condition when a user analyzes a specially crafted binary containing malicious Rust symbol names. The affected function allocates output buffers without enforcing size limits, enabling exponential memory growth that crashes the Ghidra process. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the practical attack surface is real for teams that routinely analyze untrusted Rust binaries.
Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking a user into installing a malicious extension archive. The extension installer fails to sanitize ZIP entry names, enabling classic Zip Slip path traversal that writes files outside the intended extension directory. No public exploit identified at time of analysis, though the technique is well-documented and trivially reproducible.
Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens a malicious shared-project file containing a ghidra:// URL, triggering unsafe Java deserialization in the client-side Shared-Project RMI connection code. Exploitation leverages a Jython 2.7.4 gadget chain and requires only user interaction (opening the crafted project), with no authentication needed. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the flaw.
Path traversal in Ghidra's SameDirDebugInfoProvider (versions before 12.1) enables filesystem probing and CRC32 hash leakage of arbitrary files when a user opens a crafted ELF binary during automatic DWARF analysis. The vulnerability stems from missing validation of filenames embedded in ELF .gnu_debuglink sections before those filenames are used to construct filesystem paths. No public exploit code is currently identified and it is not listed in CISA KEV, but the risk is notable for security researchers and reverse engineers who routinely analyze untrusted binaries.
Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application crash by supplying a crafted binary for decompilation. All Ghidra releases prior to 12.1 are affected, as is any downstream application consuming the SLEIGH library via the public Sleigh::oneInstruction C++ API. The CVSS v4.0 score of 6.9 reflects a high availability impact (VA:H) with low integrity impact (VI:L) and no confidentiality impact; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted binary to crash the entire JVM and destroy all unsaved analyst work. The ExportTrie.parseTrie() method lacks cycle detection when walking export trie structures, so a malicious Mach-O binary embedding circular trie references triggers unbounded queue growth and exponential string concatenation until an OutOfMemoryError terminates the JVM process. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the risk is materially elevated in adversarial research contexts where analysts routinely open untrusted binaries - exactly the workflow Ghidra is designed for.
Command injection in NSA Ghidra (versions before 12.0.3) executes arbitrary commands when analysts click on maliciously crafted binary comments. Attackers embed @execute annotation directives in binary data (e.g., CFStrings in Mach-O files) that Ghidra auto-extracts and renders as clickable UI elements, bypassing the intended trust boundary for user-authored annotations. No public exploit identified at time of analysis, though the attack vector is well-documented in vendor advisory. EPSS data not available; CVSS 8.8 reflects high impact contingent on user interaction with a weaponized binary file.
Uncontrolled heap memory allocation in Ghidra's Mach-O binary parser (versions before 12.1.1) allows denial of service by crashing the Ghidra JVM. The parser reads the `ncmds` load command count field directly from a Mach-O file header and uses it to drive heap allocation without cross-validating it against the actual file size, enabling a crafted binary to exhaust JVM memory. No public exploit has been identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog, though the attack primitive is straightforward to reproduce from the description.
Heap-use-after-free corruption in Ghidra's decompiler before version 12.1 allows a local attacker - or any actor who can deliver a crafted binary to a target analyst - to corrupt freed heap memory when the victim opens the file in the decompiler view. The vulnerability resides in HighVariable::merge() during the variable merging pass, where stale pointers in the HighIntersectTest::highedgemap cache are dereferenced against freed memory, producing low-impact integrity and availability effects on the Ghidra process. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, but the tool's user base of security researchers who routinely open untrusted binaries elevates the practical threat profile.
Path traversal in Ghidra's IsfServer component (all versions before 12.2) allows remote unauthenticated attackers to enumerate filesystem paths and probe arbitrary files by connecting to TCP port 54321 and sending crafted protobuf messages. The root cause is unsanitized client-supplied namespace strings passed directly to filesystem operations, a CWE-22 defect. Given Ghidra's deployment context - security research, malware analysis, and reverse engineering of sensitive artifacts, often in high-value government and defense environments - successful exploitation could expose directory structures and sensitive file metadata on the analyst's workstation. No public exploit code has been identified and this vulnerability is not in CISA KEV at time of analysis.
Arbitrary file write in NSA's Ghidra reverse-engineering framework before version 12.0.4 allows attackers to escape the theme directory via Zip Slip path traversal sequences in malicious theme ZIP archives, leading to code execution or credential compromise. The flaw requires user interaction (importing the booby-trapped theme) and is exploited locally against the user running Ghidra. No public exploit identified at time of analysis, though the technique (Zip Slip) is well-documented and trivially reproducible.
Uncontrolled memory allocation in Ghidra's rust_demangle function (versions before 12.0.3) allows a denial-of-service condition when a user analyzes a specially crafted binary containing malicious Rust symbol names. The affected function allocates output buffers without enforcing size limits, enabling exponential memory growth that crashes the Ghidra process. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the practical attack surface is real for teams that routinely analyze untrusted Rust binaries.
Arbitrary file write in NSA Ghidra versions prior to 12.0.2 allows local attackers to achieve code execution by tricking a user into installing a malicious extension archive. The extension installer fails to sanitize ZIP entry names, enabling classic Zip Slip path traversal that writes files outside the intended extension directory. No public exploit identified at time of analysis, though the technique is well-documented and trivially reproducible.
Remote code execution in NSA Ghidra before version 12.1 allows attackers to execute arbitrary commands when a user opens a malicious shared-project file containing a ghidra:// URL, triggering unsafe Java deserialization in the client-side Shared-Project RMI connection code. Exploitation leverages a Jython 2.7.4 gadget chain and requires only user interaction (opening the crafted project), with no authentication needed. No public exploit identified at time of analysis, though VulnCheck has published an advisory describing the flaw.
Path traversal in Ghidra's SameDirDebugInfoProvider (versions before 12.1) enables filesystem probing and CRC32 hash leakage of arbitrary files when a user opens a crafted ELF binary during automatic DWARF analysis. The vulnerability stems from missing validation of filenames embedded in ELF .gnu_debuglink sections before those filenames are used to construct filesystem paths. No public exploit code is currently identified and it is not listed in CISA KEV, but the risk is notable for security researchers and reverse engineers who routinely analyze untrusted binaries.
Heap-use-after-free in Ghidra's SLEIGH disassembler engine allows an attacker to cause memory corruption or application crash by supplying a crafted binary for decompilation. All Ghidra releases prior to 12.1 are affected, as is any downstream application consuming the SLEIGH library via the public Sleigh::oneInstruction C++ API. The CVSS v4.0 score of 6.9 reflects a high availability impact (VA:H) with low integrity impact (VI:L) and no confidentiality impact; no public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.
Uncontrolled resource consumption in Ghidra's Mach-O binary parser (versions 10.2 through pre-12.1) allows a crafted binary to crash the entire JVM and destroy all unsaved analyst work. The ExportTrie.parseTrie() method lacks cycle detection when walking export trie structures, so a malicious Mach-O binary embedding circular trie references triggers unbounded queue growth and exponential string concatenation until an OutOfMemoryError terminates the JVM process. No public exploit has been identified at time of analysis and no CISA KEV listing exists, but the risk is materially elevated in adversarial research contexts where analysts routinely open untrusted binaries - exactly the workflow Ghidra is designed for.
Command injection in NSA Ghidra (versions before 12.0.3) executes arbitrary commands when analysts click on maliciously crafted binary comments. Attackers embed @execute annotation directives in binary data (e.g., CFStrings in Mach-O files) that Ghidra auto-extracts and renders as clickable UI elements, bypassing the intended trust boundary for user-authored annotations. No public exploit identified at time of analysis, though the attack vector is well-documented in vendor advisory. EPSS data not available; CVSS 8.8 reflects high impact contingent on user interaction with a weaponized binary file.