Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2024-58350

CVE-2024-58350: Ghidra Use After Free Vulnerability

CVE-2024-58350 is a use after free flaw in Ghidra's Sleigh backend that enables attackers to trigger denial of service or infinite loops. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2024-58350 Overview

CVE-2024-58350 is a use-after-free vulnerability in Ghidra before version 11.2, the open-source software reverse engineering framework maintained by the National Security Agency. The flaw resides in the Sleigh backend and stems from undefined static initialization order between the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers with local access can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order, which causes iteration over deallocated memory. The issue is tracked under [CWE-758] (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior).

Critical Impact

Local attackers can cause denial of service in Ghidra by triggering iteration over deallocated memory during process shutdown.

Affected Products

  • Ghidra versions prior to 11.2
  • Sleigh backend component
  • SleighArchitecture and XmlArchitectureCapability singletons

Discovery Timeline

  • 2026-06-10 - CVE-2024-58350 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2024-58350

Vulnerability Analysis

The vulnerability exists in Ghidra's Sleigh backend, which handles processor specification and disassembly logic. Two C++ singletons, SleighArchitecture::translators and XmlArchitectureCapability, depend on each other at program termination. Because the C++ standard does not define a destruction order for static objects across translation units, one singleton may be destroyed while the other still references it.

When the surviving singleton attempts to iterate over the destroyed container, it reads freed memory. This produces undefined behavior that manifests as an infinite loop or process hang during Ghidra shutdown. The use-after-free condition is deterministic on affected builds because it is driven by static initialization order rather than runtime input.

Root Cause

The root cause is the static initialization order fiasco in C++, classified as [CWE-758]. Global singleton lifetimes were not explicitly ordered, so destructor invocation depended on translation unit linkage order. The Sleigh backend relied on the implicit assumption that the translators container would outlive XmlArchitectureCapability, which is not guaranteed by the language specification.

Attack Vector

Exploitation requires local access to a system running a vulnerable Ghidra build. An attacker influences shutdown conditions, for example by loading a crafted architecture specification or causing the process to terminate in a controlled state. The result is a denial-of-service condition limited to availability impact. No code execution, privilege escalation, or data disclosure is possible through this flaw based on available advisory information.

No public proof-of-concept exploit is documented in the advisories. Refer to the GitHub Security Advisory and the VulnCheck Advisory for technical details.

Detection Methods for CVE-2024-58350

Indicators of Compromise

  • Ghidra processes that hang or consume CPU at 100% during shutdown rather than exiting cleanly.
  • Crash dumps or core files referencing SleighArchitecture::translators or XmlArchitectureCapability destructors.
  • Unexpected ghidra or decompile child processes persisting after the main application closes.

Detection Strategies

  • Inventory Ghidra installations across analyst workstations and identify any build earlier than 11.2.
  • Monitor process termination behavior of Ghidra and its decompile helper for abnormal exit times.
  • Review application logs for repeated shutdown failures tied to the Sleigh backend.

Monitoring Recommendations

  • Track CPU and memory usage of long-running Ghidra processes to detect runaway loops on exit.
  • Alert on Ghidra child processes that fail to terminate within an expected window.
  • Collect software inventory telemetry to flag unpatched Ghidra versions on developer and reverse-engineering hosts.

How to Mitigate CVE-2024-58350

Immediate Actions Required

  • Upgrade Ghidra to version 11.2 or later on all systems where it is installed.
  • Restrict local access to analyst workstations running reverse-engineering tooling.
  • Validate the provenance of processor specification files and Sleigh extensions before loading them.

Patch Information

The fix is included in Ghidra 11.2, which enforces a deterministic destruction order between the SleighArchitecture::translators and XmlArchitectureCapability singletons. Obtain the patched release from the official Ghidra repository and review the GitHub Security Advisory GHSA-4g43-2f29-xvp4 for upgrade guidance.

Workarounds

  • Terminate Ghidra processes with SIGKILL if a shutdown hang occurs, then restart the application on a patched build.
  • Avoid loading untrusted Sleigh specifications or third-party architecture modules until the upgrade is complete.
  • Isolate Ghidra usage to non-privileged accounts to limit any local impact from denial-of-service conditions.
bash
# Verify the installed Ghidra version and upgrade if below 11.2
./ghidraRun --version
# Upgrade by replacing the installation with the 11.2 release from the official source

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.