CVE-2024-58350: Ghidra Use-After-Free in Sleigh Backend
Ghidra, the reverse-engineering framework maintained by the NSA, contains a memory management flaw that can cause the application to hang or crash during shutdown. The problem stems from improperly ordered cleanup of internal components, where the program attempts to access memory that has already been freed. An attacker with local access can trigger this condition, resulting in a denial-of-service effect. This is a low-severity issue with limited real-world impact, as it requires local execution and only affects availability during the shutdown phase.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 2.9 LOW · CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-758
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order that causes iteration over deallocated memory.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2024-58350 is a use-after-free vulnerability in Ghidra's Sleigh backend caused by undefined static initialization order between the SleighArchitecture::translators and XmlArchitectureCapability singletons. During program termination, the destructors execute in an unsafe order, causing the code to iterate over deallocated memory. This triggers undefined behavior that typically manifests as an infinite loop or process hang. The vulnerability is classified under CWE-758 (Reliance on Undefined, Unspecified, or Implementation-Defined Behavior).
Business impact
The practical business impact is minimal. Ghidra is a specialized reverse-engineering tool used primarily by security researchers, malware analysts, and advanced development teams—not a widespread production system. The vulnerability only manifests during application shutdown, not during normal usage or analysis work. Organizations using Ghidra may experience minor inconvenience if the application hangs on exit, but no data loss, corruption, or lateral movement is possible. The low CVSS score (2.9) reflects this limited exposure.
Affected systems
Ghidra versions prior to 11.2 are vulnerable. The issue affects the Sleigh disassembly backend, which is a core component of the framework. However, only users running affected versions on local systems where an attacker has execution capability are at risk. This is not a network-exploitable vulnerability.
Exploitability
Exploitation requires local code execution on a system running a vulnerable Ghidra version. An attacker must be able to run code or trigger application shutdown on the target machine. The vulnerability is not remotely exploitable and does not grant elevated privileges or access to sensitive data. Real-world exploitation is unlikely given the limited user base and low impact.
Remediation
Update Ghidra to version 11.2 or later. The update addresses the static initialization order issue, ensuring safe destruction of singletons. Organizations should prioritize this update as part of routine maintenance rather than emergency patching.
Patch guidance
Download and install Ghidra 11.2 or the latest available version from the official NSA repository. Verify the integrity of the download against provided checksums. For organizations with centralized Ghidra deployments, coordinate the update with affected teams to minimize disruption. No special migration steps or configuration changes are required.
Detection guidance
Monitor for Ghidra processes that hang or exit abnormally during shutdown. In environments where Ghidra version inventory is maintained, scan systems to identify instances running versions before 11.2. Process monitoring can detect infinite loops at shutdown, though this is a minor operational indicator. No behavioral signatures are needed for active exploitation, as the vulnerability only manifests at termination.
Why prioritize this
This vulnerability should not drive urgent action. The combination of low severity (CVSS 2.9), local-only exploitation requirements, and limited real-world impact means it can be addressed through standard patching cycles. Organizations should update when convenient, but do not require emergency response protocols. Prioritize other vulnerabilities affecting broader attack surfaces or critical systems.
Risk score, explained
The CVSS 3.1 score of 2.9 reflects: attack vector of Local (requires local execution), attack complexity of High (specific conditions needed to trigger during shutdown), and impact limited to Availability (denial of service only). The vulnerability requires an attacker to already have execution capability on the target system, which is a significant barrier. No confidentiality or integrity impact is possible.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. CVE-2024-58350 requires local code execution or the ability to trigger application shutdown on the target system. It cannot be exploited over a network.
Does this affect Ghidra users analyzing malware or performing reverse engineering?
No. The vulnerability only manifests during application shutdown, not during normal analysis work. Users will not experience issues while actively using Ghidra; they may only notice the application hangs when exiting.
What should I do if I use Ghidra?
Update to Ghidra 11.2 or later at your earliest convenience. Check your current version (Help > About Ghidra) and upgrade through your package manager or the official NSA repository. This is routine maintenance rather than an emergency patch.
Are there workarounds if I cannot update immediately?
Since the vulnerability only affects shutdown, you can continue using Ghidra normally. If hangs occur on exit, simply force-close the process. However, updating is the proper solution and should be done as part of regular maintenance cycles.
This analysis is based on the CVE record and vendor information current as of the publication date. Severity assessments and real-world impact may evolve as additional context emerges. Organizations should verify patch availability and compatibility in their specific environments before deployment. SEC.co makes no warranty regarding the accuracy or completeness of this analysis and recommends cross-referencing official vendor advisories for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49497LOWGhidra Path Traversal in Debug Symbol Resolution
- CVE-2026-49495MEDIUMGhidra Denial of Service via Malicious Mach-O Export Trie
- CVE-2026-49496MEDIUMGhidra Heap-Use-After-Free in Sleigh Decompiler—Patch v12.1
- CVE-2026-49498HIGHGhidra PostgreSQL SQL Injection – Privilege Escalation Vulnerability
- CVE-2026-52750HIGHGhidra Windows Command Injection via URL Annotation
- CVE-2026-52751HIGHGhidra Unsafe Deserialization Remote Code Execution (CVSS 8.8)
- CVE-2026-52752HIGHGhidra Path Traversal in Extension Installer (CVSS 7.8)
- CVE-2026-52753MEDIUMGhidra Rust Symbol Memory Exhaustion Denial of Service