Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-52759

CVE-2026-52759: Ghidra Mach-O Parser DoS Vulnerability

CVE-2026-52759 is a denial of service flaw in Ghidra's Mach-O binary parser that allows attackers to crash the JVM through uncontrolled memory allocation. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-52759 Overview

CVE-2026-52759 is an uncontrolled memory allocation vulnerability [CWE-789] in the Ghidra reverse engineering framework maintained by the National Security Agency. The flaw resides in the Mach-O binary parser in Ghidra versions before 12.1.1. An attacker can craft a Mach-O binary with an arbitrarily large ncmds load command count value. When Ghidra parses the file, the parser allocates excessive heap memory without validating the value against the actual file size. This exhausts JVM heap memory and crashes the Ghidra process, producing a denial-of-service condition for analysts performing static analysis on attacker-supplied samples.

Critical Impact

A single malicious Mach-O sample can crash the Ghidra JVM, disrupting reverse engineering workflows and potentially blocking incident response analysis.

Affected Products

  • Ghidra versions before 12.1.1
  • Ghidra Mach-O binary loader component
  • Ghidra installations performing static analysis on untrusted Mach-O samples

Discovery Timeline

  • 2026-06-10 - CVE-2026-52759 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-52759

Vulnerability Analysis

The vulnerability stems from how Ghidra's Mach-O loader processes the mach_header structure. The Mach-O header includes an ncmds field that declares the number of load commands following the header. Ghidra reads this 32-bit value and uses it to allocate memory for parsing those load commands. The loader does not cross-check ncmds against the actual size of the input file before allocating. An attacker setting ncmds to a very large value, such as 0xFFFFFFFF, causes the parser to request memory far exceeding what the file could legitimately require. The Java Virtual Machine running Ghidra then throws an OutOfMemoryError or terminates, halting analysis.

This class of weakness is tracked as Allocation of Resources Without Limits or Throttling [CWE-789]. The attack requires local access to a Ghidra instance and user interaction, since an analyst must open or import the malicious Mach-O file.

Root Cause

The root cause is missing input validation against file size bounds. The parser trusts the attacker-controlled ncmds field in the Mach-O header and uses it directly as an allocation parameter. A safe implementation must compute the maximum number of load commands the file can contain by dividing the remaining file size by the minimum load command size before allocating buffers.

Attack Vector

An attacker delivers a crafted Mach-O file to a target analyst through phishing, malware sample sharing platforms, or planted artifacts on a compromised host. When the analyst imports the file into Ghidra for analysis, the Mach-O loader parses the header and triggers the uncontrolled allocation. The Ghidra JVM consumes available heap memory and crashes. This disrupts reverse engineering workflows and can be used to evade analysis by samples that detect or anticipate Ghidra usage. See the GitHub Security Advisory and the VulnCheck Advisory for additional technical context.

Detection Methods for CVE-2026-52759

Indicators of Compromise

  • Ghidra JVM crashes or OutOfMemoryError exceptions logged during Mach-O import operations
  • Mach-O samples with ncmds values that exceed plausible bounds relative to file size
  • Repeated Ghidra process terminations on analyst workstations after handling suspicious samples

Detection Strategies

  • Pre-screen Mach-O samples with a lightweight parser that validates ncmds against file size before passing files to Ghidra
  • Monitor Ghidra application.log and console.log files for java.lang.OutOfMemoryError entries tied to the Mach-O loader
  • Alert on Ghidra process exits with non-zero status codes occurring shortly after file import events

Monitoring Recommendations

  • Track Ghidra JVM memory consumption metrics on analyst workstations and flag rapid heap growth following file open events
  • Log all Mach-O file imports into Ghidra and correlate with process termination events
  • Centralize analyst workstation telemetry to identify repeated crashes that may indicate adversary attempts to disrupt analysis

How to Mitigate CVE-2026-52759

Immediate Actions Required

  • Upgrade Ghidra to version 12.1.1 or later on all analyst workstations and shared analysis servers
  • Restrict Mach-O analysis to isolated virtual machines or sandboxes until patching is complete
  • Validate Mach-O samples with an external parser before opening them in unpatched Ghidra instances

Patch Information

The National Security Agency released Ghidra 12.1.1 to address this issue. The fix validates the ncmds field against the input file size before allocating buffers for load command parsing. Refer to the GitHub Security Advisory GHSA-v6c3-h9cp-3whf for the official patch reference.

Workarounds

  • Perform Mach-O triage in disposable analysis virtual machines that can be restored after a crash
  • Increase JVM heap limits in support/launch.properties only as a temporary measure, recognizing this delays but does not prevent the crash
  • Avoid opening Mach-O files from untrusted sources in unpatched Ghidra installations
bash
# Verify installed Ghidra version and upgrade if below 12.1.1
cat $GHIDRA_INSTALL_DIR/Ghidra/application.properties | grep application.version
# Replace prior installation with Ghidra 12.1.1 or later from the official release page

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.