CVE-2026-52759 Overview
CVE-2026-52759 is an uncontrolled memory allocation vulnerability [CWE-789] in the Ghidra reverse engineering framework maintained by the National Security Agency. The flaw resides in the Mach-O binary parser in Ghidra versions before 12.1.1. An attacker can craft a Mach-O binary with an arbitrarily large ncmds load command count value. When Ghidra parses the file, the parser allocates excessive heap memory without validating the value against the actual file size. This exhausts JVM heap memory and crashes the Ghidra process, producing a denial-of-service condition for analysts performing static analysis on attacker-supplied samples.
Critical Impact
A single malicious Mach-O sample can crash the Ghidra JVM, disrupting reverse engineering workflows and potentially blocking incident response analysis.
Affected Products
- Ghidra versions before 12.1.1
- Ghidra Mach-O binary loader component
- Ghidra installations performing static analysis on untrusted Mach-O samples
Discovery Timeline
- 2026-06-10 - CVE-2026-52759 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-52759
Vulnerability Analysis
The vulnerability stems from how Ghidra's Mach-O loader processes the mach_header structure. The Mach-O header includes an ncmds field that declares the number of load commands following the header. Ghidra reads this 32-bit value and uses it to allocate memory for parsing those load commands. The loader does not cross-check ncmds against the actual size of the input file before allocating. An attacker setting ncmds to a very large value, such as 0xFFFFFFFF, causes the parser to request memory far exceeding what the file could legitimately require. The Java Virtual Machine running Ghidra then throws an OutOfMemoryError or terminates, halting analysis.
This class of weakness is tracked as Allocation of Resources Without Limits or Throttling [CWE-789]. The attack requires local access to a Ghidra instance and user interaction, since an analyst must open or import the malicious Mach-O file.
Root Cause
The root cause is missing input validation against file size bounds. The parser trusts the attacker-controlled ncmds field in the Mach-O header and uses it directly as an allocation parameter. A safe implementation must compute the maximum number of load commands the file can contain by dividing the remaining file size by the minimum load command size before allocating buffers.
Attack Vector
An attacker delivers a crafted Mach-O file to a target analyst through phishing, malware sample sharing platforms, or planted artifacts on a compromised host. When the analyst imports the file into Ghidra for analysis, the Mach-O loader parses the header and triggers the uncontrolled allocation. The Ghidra JVM consumes available heap memory and crashes. This disrupts reverse engineering workflows and can be used to evade analysis by samples that detect or anticipate Ghidra usage. See the GitHub Security Advisory and the VulnCheck Advisory for additional technical context.
Detection Methods for CVE-2026-52759
Indicators of Compromise
- Ghidra JVM crashes or OutOfMemoryError exceptions logged during Mach-O import operations
- Mach-O samples with ncmds values that exceed plausible bounds relative to file size
- Repeated Ghidra process terminations on analyst workstations after handling suspicious samples
Detection Strategies
- Pre-screen Mach-O samples with a lightweight parser that validates ncmds against file size before passing files to Ghidra
- Monitor Ghidra application.log and console.log files for java.lang.OutOfMemoryError entries tied to the Mach-O loader
- Alert on Ghidra process exits with non-zero status codes occurring shortly after file import events
Monitoring Recommendations
- Track Ghidra JVM memory consumption metrics on analyst workstations and flag rapid heap growth following file open events
- Log all Mach-O file imports into Ghidra and correlate with process termination events
- Centralize analyst workstation telemetry to identify repeated crashes that may indicate adversary attempts to disrupt analysis
How to Mitigate CVE-2026-52759
Immediate Actions Required
- Upgrade Ghidra to version 12.1.1 or later on all analyst workstations and shared analysis servers
- Restrict Mach-O analysis to isolated virtual machines or sandboxes until patching is complete
- Validate Mach-O samples with an external parser before opening them in unpatched Ghidra instances
Patch Information
The National Security Agency released Ghidra 12.1.1 to address this issue. The fix validates the ncmds field against the input file size before allocating buffers for load command parsing. Refer to the GitHub Security Advisory GHSA-v6c3-h9cp-3whf for the official patch reference.
Workarounds
- Perform Mach-O triage in disposable analysis virtual machines that can be restored after a crash
- Increase JVM heap limits in support/launch.properties only as a temporary measure, recognizing this delays but does not prevent the crash
- Avoid opening Mach-O files from untrusted sources in unpatched Ghidra installations
# Verify installed Ghidra version and upgrade if below 12.1.1
cat $GHIDRA_INSTALL_DIR/Ghidra/application.properties | grep application.version
# Replace prior installation with Ghidra 12.1.1 or later from the official release page
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

