Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49495

CVE-2026-49495: Ghidra DoS Vulnerability

CVE-2026-49495 is a denial of service vulnerability in Ghidra affecting versions 10.2 through 12.0. Crafted Mach-O binaries trigger resource exhaustion that crashes the JVM. This article covers technical details, impact, and mitigations.

Published:

CVE-2026-49495 Overview

CVE-2026-49495 is an uncontrolled resource consumption vulnerability in Ghidra, the open-source software reverse engineering suite maintained by the National Security Agency. The flaw resides in the ExportTrie.parseTrie() method, which parses Mach-O binary export tries without cycle detection. A crafted Mach-O binary containing circular references in its export trie forces unbounded queue growth and exponential string concatenation during parsing. This triggers an OutOfMemoryError that crashes the entire Java Virtual Machine (JVM) hosting Ghidra, destroying any unsaved analysis work. The issue is classified under [CWE-835] (Loop with Unreachable Exit Condition) and affects Ghidra versions 10.2 through versions prior to 12.1.

Critical Impact

A malicious Mach-O sample loaded for analysis crashes the Ghidra JVM and destroys all unsaved reverse engineering progress in the session.

Affected Products

  • Ghidra 10.2 through versions prior to 12.1
  • National Security Agency Ghidra software reverse engineering suite
  • Any Ghidra deployment that imports or analyzes Mach-O binaries

Discovery Timeline

  • 2026-06-10 - CVE-2026-49495 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-49495

Vulnerability Analysis

The vulnerability lives in Ghidra's Mach-O loader, specifically the ExportTrie.parseTrie() routine. Export tries in Mach-O binaries are tree-like structures that encode exported symbol names along edges from the root to terminal nodes. A correct parser walks the trie once, accumulating the symbol prefix along each edge. Ghidra's implementation traverses these nodes using a worklist queue but never tracks which nodes it has already visited.

When the parser encounters an edge that points back to an earlier node, it re-enqueues that node along with the accumulated prefix string. Each cycle traversal lengthens the prefix and multiplies the number of queued work items. The result is exponential growth in both queue size and string allocation. The JVM eventually exhausts its heap and throws OutOfMemoryError, terminating the entire Ghidra process.

Root Cause

The root cause is the absence of cycle detection during graph traversal. The parser treats the export trie as a directed acyclic graph but performs no validation that input binaries conform to that assumption. Attacker-controlled byte sequences in the Mach-O export section can construct arbitrary directed graphs, including ones with cycles.

Attack Vector

Exploitation requires a user to open or import a malicious Mach-O binary in Ghidra. The CVSS 4.0 vector indicates a local attack vector with active user interaction. There is no remote exploitation path, and the impact is limited to availability — the attacker cannot achieve code execution, only a denial of service against the analyst's session. Malware authors can embed this trigger into samples to disrupt reverse engineering workflows.

No public proof-of-concept exploit code has been released. Refer to the GitHub Security Advisory and the VulnCheck Advisory for additional technical detail.

Detection Methods for CVE-2026-49495

Indicators of Compromise

  • Ghidra processes terminating with java.lang.OutOfMemoryError exceptions in logs shortly after a Mach-O import operation
  • Sudden JVM heap exhaustion correlated with analysis of untrusted Mach-O samples
  • Mach-O binaries whose export trie sections contain self-referential or back-edge node pointers

Detection Strategies

  • Inspect Mach-O export trie structures statically with a validator that tracks visited node offsets and flags any repeated visit during traversal
  • Monitor analyst workstations for unexpected Ghidra crashes immediately following file import events
  • Compare installed Ghidra versions against the fixed release 12.1 across the reverse engineering team's endpoints

Monitoring Recommendations

  • Forward Ghidra application logs and JVM crash dumps to a centralized logging platform for review
  • Track endpoint process termination events for the ghidraRun or java processes hosting Ghidra on analyst machines
  • Alert when Mach-O samples sourced from untrusted threat intelligence feeds are loaded outside of isolated analysis environments

How to Mitigate CVE-2026-49495

Immediate Actions Required

  • Upgrade Ghidra to version 12.1 or later on all analyst workstations and shared analysis servers
  • Save work frequently when analyzing untrusted Mach-O binaries on unpatched installations
  • Perform analysis of untrusted samples inside disposable virtual machines or containers to isolate JVM crashes

Patch Information

The National Security Agency released a fix in Ghidra 12.1 that adds cycle detection to ExportTrie.parseTrie(). Details and the patched code are referenced in the GitHub Security Advisory GHSA-wm33-9f68-3vjg. Operators should pull the latest release from the official Ghidra project repository.

Workarounds

  • Avoid importing untrusted Mach-O binaries until the upgrade to Ghidra 12.1 is complete
  • Pre-validate Mach-O samples with an external parser that enforces acyclic export trie structure before loading them into Ghidra
  • Increase the JVM maximum heap size only as a stop-gap; this delays but does not prevent the crash
bash
# Verify the installed Ghidra version meets the patched baseline
cat $GHIDRA_INSTALL_DIR/Ghidra/application.properties | grep application.version

# Required output: application.version=12.1 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.