By vendor
Nsa vulnerabilities
Known CVEs affecting Nsa products, prioritized by severity, with SEC.co remediation and detection guidance.
15 published vulnerabilities
- CVE-2026-49498HIGH 8.8
Ghidra versions 11.0 through 12.0 contain a SQL injection flaw in the password-change functionality of its PostgreSQL database integration. An authenticated user can manipulate their username to inject malicious SQL commands, ultimately gaining superuser access to the entire PostgreSQL database. This is a post-authentication attack that requires valid credentials but can lead to complete database compromise.
- CVE-2026-52751HIGH 8.8
Ghidra, the NSA's open-source reverse-engineering toolkit, contains a critical flaw in how it handles project files shared over its network protocol. When you open a malicious project file (identified by a ghidra:// link), the application deserializes untrusted data without proper validation. An attacker can exploit this to run arbitrary commands on your machine with the privileges of your Ghidra process. The vulnerability affects all versions before 12.1 and requires only that a user click to open a file—no special authentication or configuration is needed.
- CVE-2026-52754HIGH 8.8
Ghidra versions before 12.1 contain a critical authentication flaw that allows any legitimate user to impersonate other users. An attacker with a valid certificate can bypass the signature verification step and assume the identity of colleagues, administrators, or other users. This breaks the core security model of certificate-based authentication and enables privilege escalation, unauthorized data access, and control of shared reverse engineering databases.
- CVE-2026-52758HIGH 8.8
Ghidra, the NSA's reverse-engineering toolkit, contains a SQL injection flaw in its BSim (Binary Similarity) feature before version 12.1. An attacker with network access and valid credentials can craft malicious queries through BSim's network protocol to inject SQL commands directly into the underlying PostgreSQL database. This allows reading sensitive data, modifying existing records, or destroying data outright. The vulnerability requires authentication, but the impact if exploited is severe.
- CVE-2026-52750HIGH 7.8
Ghidra, the reverse-engineering toolkit maintained by the NSA, has a vulnerability in how it handles URLs embedded in program annotations on Windows systems. If a researcher opens a Ghidra project containing a malicious URL hidden in a code comment and clicks that URL, an attacker can run arbitrary commands on their machine with the same privileges as the Ghidra user. The vulnerability affects Ghidra versions before 12.1 and requires user interaction—an analyst must click the embedded link for the attack to succeed.
- CVE-2026-52752HIGH 7.8
Ghidra, the NSA's open-source reverse-engineering framework, contains a flaw in how it handles user-installed extensions. When you install an extension (a ZIP file that adds features), the software doesn't properly check whether filenames inside that ZIP are trying to escape the extension directory using path-traversal tricks like '../'. A malicious actor can create a specially crafted extension that, when installed, writes files anywhere on your system where Ghidra has write access—potentially including executable locations that would let them run arbitrary code with the same privileges as your user account.
- CVE-2026-52755HIGH 7.8
Ghidra, the NSA's reverse-engineering and binary analysis framework, contains a vulnerability in its theme import feature that allows an attacker to write files anywhere on a user's system, not just in the theme directory. An attacker can craft a malicious theme file—distributed as a ZIP archive—with specially crafted filenames that escape the intended directory. When a user imports this theme, files get written to unexpected locations, potentially allowing code execution or modification of critical system files like SSH keys or shell initialization scripts. This requires the user to actively import the malicious theme, but once triggered, the impact is severe.
- CVE-2026-49496MEDIUM 6.1
Ghidra, the NSA's open-source reverse engineering framework, contains a memory safety bug in its Sleigh decompilation engine that can corrupt heap memory. When processing malicious binaries, the vulnerability allows an attacker to trigger a use-after-free condition—where the software attempts to access memory that has already been freed. The flaw affects version 12.0 and earlier; upgrading to version 12.1 or later resolves the issue. While exploitation requires user interaction (opening a malicious binary), the memory corruption could lead to application crashes or, in carefully crafted scenarios, potential code execution.
- CVE-2026-49495MEDIUM 5.5
Ghidra, the NSA's reverse-engineering framework, contains a flaw that can crash the entire application when you open a specially crafted Mach-O binary file. The problem stems from how Ghidra parses export information in these binaries—if an attacker creates a file with circular references in its export structure, Ghidra will get stuck in an infinite loop, consuming memory until the Java runtime runs out and terminates. This causes the loss of any unsaved work in the active Ghidra session.
- CVE-2026-52753MEDIUM 5.5
Ghidra, NSA's widely-used reverse engineering framework, has a memory exhaustion vulnerability in how it handles Rust symbol names. When analyzing a malicious binary containing specially crafted Rust symbols, Ghidra can allocate memory unboundedly, consuming all available RAM and crashing the application. An attacker would need to craft a binary that a security analyst then opens in Ghidra to trigger the crash—this is not remotely exploitable, but it can disrupt analysis workflows and impact incident response timelines.
- CVE-2026-52759MEDIUM 5.5
Ghidra, the NSA's popular reverse-engineering framework, contains a vulnerability in how it processes Mach-O binary files (the executable format used by macOS and iOS). An attacker can craft a malicious binary with an invalid instruction count that tricks Ghidra into allocating enormous amounts of memory, exhausting system resources and crashing the application. This requires local access and user interaction—someone must open the malicious binary in Ghidra—but the impact is a reliable denial of service.
- CVE-2026-52756MEDIUM 4.8
Ghidra, the NSA's reverse-engineering framework, contains a path traversal flaw in its IsfServer network component. An unauthenticated attacker can connect to the default listening port and craft specially formatted messages to probe and enumerate files on the system running Ghidra. The vulnerability allows limited information disclosure and potential denial of service, but does not enable code execution or file modification.
- CVE-2026-52757MEDIUM 4.4
Ghidra, the National Security Agency's widely-used reverse-engineering and binary analysis platform, contains a memory safety bug in its decompiler. When a specially crafted binary file is opened in Ghidra's decompiler view, the application can access memory that has already been freed, potentially corrupting data or crashing the program. An attacker would need to distribute a malicious binary and convince a user to analyze it in Ghidra—the vulnerability itself does not allow remote code execution or network-based attacks.
- CVE-2026-49497LOW 3.3
Ghidra, the NSA's reverse-engineering framework, contains a path traversal flaw in its debug symbol handler. When you open a malicious ELF binary, Ghidra automatically tries to load debugging information referenced in the binary's .gnu_debuglink section. An attacker can craft that section with path traversal sequences (like "../") to trick Ghidra into checking whether arbitrary files exist on your system and leaking their CRC32 checksums. This is a local attack—the attacker needs you to open a malicious file—but it can reveal information about your system's filesystem structure and contents.
- CVE-2024-58350LOW 2.9
Ghidra, the reverse-engineering framework maintained by the NSA, contains a memory management flaw that can cause the application to hang or crash during shutdown. The problem stems from improperly ordered cleanup of internal components, where the program attempts to access memory that has already been freed. An attacker with local access can trigger this condition, resulting in a denial-of-service effect. This is a low-severity issue with limited real-world impact, as it requires local execution and only affects availability during the shutdown phase.