CVE-2026-52751 Overview
CVE-2026-52751 is an unsafe deserialization vulnerability [CWE-502] in Ghidra versions before 12.1. The flaw resides in the client-side Shared-Project Remote Method Invocation (RMI) connection code. Attackers can craft a malicious project file containing a ghidra:// URL that triggers deserialization of untrusted objects when a victim opens it through File → Open Project. The deserialization process leverages a Jython 2.7.4 gadget chain to execute arbitrary commands on the victim's host. Exploitation requires user interaction but no authentication, enabling unauthenticated remote code execution against reverse engineers and malware analysts who use Ghidra.
Critical Impact
Successful exploitation grants arbitrary command execution on the analyst's workstation, exposing source code, samples, and credentials in the user's context.
Affected Products
- Ghidra versions prior to 12.1
- Ghidra Shared-Project RMI client component
- Installations using bundled Jython 2.7.4
Discovery Timeline
- 2026-06-10 - CVE-2026-52751 published to the National Vulnerability Database (NVD)
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-52751
Vulnerability Analysis
Ghidra's Shared-Project feature allows analysts to collaborate over RMI. The client connection code deserializes Java objects received during connection setup without filtering classes against an allowlist. An attacker who controls the RMI endpoint referenced by a ghidra:// URL can return arbitrary serialized payloads. Because Ghidra ships with Jython 2.7.4 on its classpath, the attacker can construct a gadget chain that ends in java.lang.Runtime.exec or equivalent command execution. The result is code execution with the privileges of the Ghidra process.
The attack chain depends on the victim opening a malicious project file. Project files can embed a ghidra:// URL that is followed automatically during the File → Open Project workflow, removing the need for additional victim steps once the file is opened.
Root Cause
The root cause is the absence of a deserialization filter (such as ObjectInputFilter) on the RMI client socket. Java RMI uses native serialization by default, and any class reachable on the classpath is a candidate for instantiation. Bundling Jython provides a well-known gadget chain that converts deserialization into command execution.
Attack Vector
The attack vector is network-based with required user interaction. An attacker hosts a malicious RMI server and distributes a crafted Ghidra project file referencing it via ghidra://. When the analyst opens the project, the client connects to the attacker server and deserializes the returned payload, leading to command execution under the analyst's account.
No synthetic exploit code is published here. Refer to the VulnCheck Advisory and the GitHub Security Advisory GHSA-fgg5-g275-7742 for technical details on the gadget chain and patched code paths.
Detection Methods for CVE-2026-52751
Indicators of Compromise
- Ghidra project files received from untrusted sources containing ghidra:// URLs pointing to external hosts
- Outbound TCP connections from the Ghidra Java process to unexpected RMI ports (typically 1099 or high ephemeral ports)
- Child processes spawned by the Ghidra JVM that are not part of normal analysis workflow, such as sh, cmd.exe, powershell.exe, or python
Detection Strategies
- Inspect process trees for the Ghidra Java executable launching command interpreters or scripting hosts
- Monitor for Java RMI traffic originating from analyst workstations to external networks
- Hunt for newly created Ghidra project archives on shared drives or email gateways and review embedded URLs
Monitoring Recommendations
- Log execution of ghidraRun and the underlying java process with full command lines and parent-child relationships
- Alert on EDR telemetry showing the Ghidra JVM writing executables or scheduled tasks
- Capture network flows from analyst subnets to identify unexpected RMI or JRMP connections
How to Mitigate CVE-2026-52751
Immediate Actions Required
- Upgrade Ghidra to version 12.1 or later on all analyst workstations
- Block opening of Ghidra project files received from untrusted email, chat, or web sources until patched
- Restrict outbound network access from reverse-engineering workstations to known-good RMI endpoints only
Patch Information
The vulnerability is fixed in Ghidra 12.1. The upstream fix is tracked in the Ghidra GitHub commit 91a26910 and documented in GHSA-fgg5-g275-7742. The patch adds filtering to the Shared-Project RMI client deserialization path so that untrusted classes cannot be instantiated.
Workarounds
- Do not open Ghidra project files (.gpr, .rep) sourced from third parties on a patched-only basis
- Disable or avoid the Shared-Project feature until the upgrade is applied
- Run Ghidra inside an isolated virtual machine or container with no outbound network access to limit blast radius
- Use host firewall rules to block the Ghidra JVM from initiating outbound RMI connections
# Verify installed Ghidra version and upgrade
./ghidraRun --version
# Download Ghidra 12.1+ from the official release page and replace the install directory
# Example firewall rule (Linux nftables) to block outbound RMI from analyst host
nft add rule inet filter output tcp dport {1098,1099,1100} drop
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

