CVE-2026-52753: Ghidra Rust Symbol Memory Exhaustion Denial of Service
Ghidra, NSA's widely-used reverse engineering framework, has a memory exhaustion vulnerability in how it handles Rust symbol names. When analyzing a malicious binary containing specially crafted Rust symbols, Ghidra can allocate memory unboundedly, consuming all available RAM and crashing the application. An attacker would need to craft a binary that a security analyst then opens in Ghidra to trigger the crash—this is not remotely exploitable, but it can disrupt analysis workflows and impact incident response timelines.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-789
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
Ghidra before 12.0.3 contains an out-of-memory vulnerability in the rust_demangle function that allocates unbounded output buffers without size limits. Attackers can craft malicious Rust symbol names in binaries to trigger exponential memory allocation, causing process crashes during binary analysis.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in Ghidra's rust_demangle function, which processes Rust mangled symbol names during binary analysis. The function does not enforce size limits on output buffer allocation, allowing exponential memory growth when processing adversarially crafted symbol names. The flaw falls under CWE-789 (Uncontrolled Allocation of Resources with Externally Controlled Size), a classic denial-of-service vector. The attack requires user interaction—opening a binary containing the malicious symbols—and is confined to the local system where Ghidra runs. NSA released version 12.0.3 to add proper bounds checking to the allocation logic.
Business impact
For security teams relying on Ghidra for malware analysis, incident response, or code review, this vulnerability creates operational friction. A crafted sample can force a crash mid-analysis, losing session state and delaying investigation. Organizations analyzing suspected malicious binaries in threat triage workflows are at direct risk. The impact is availability-focused; no code execution or data theft is possible, but business continuity for IR teams can be affected during peak incident response periods.
Affected systems
Ghidra versions before 12.0.3 are vulnerable. This includes all stable and development releases up through 12.0.2. Ghidra runs on Windows, Linux, and macOS systems. Any organization or analyst using Ghidra for binary analysis on these platforms is in scope. The vendor is NSA, and updates are distributed through their official GitHub releases and installer channels.
Exploitability
Exploitation is straightforward in concept—craft a Rust symbol name that triggers exponential allocation—but requires delivery to a target analyst. The attack vector is local; an attacker must place a malicious binary where a Ghidra user will open it, either by compromising a malware sample repository, sending the binary via email, or hosting it on a third-party download site. User interaction is mandatory (opening the binary), so this is not an autonomous network attack. The CVSS score of 5.5 (Medium) reflects low attack complexity, no privileges required, and high availability impact, but limited scope due to the local-only requirement.
Remediation
Upgrade Ghidra to version 12.0.3 or later. NSA released this patch to add size limits and bounds checking to the rust_demangle function, eliminating unbounded allocation. Organizations should prioritize this update for analysts handling untrusted or suspected malicious binaries. There is no known workaround short of avoiding analysis of Rust binaries or running Ghidra in isolated, resource-constrained environments where crashes are tolerable.
Patch guidance
Download and install Ghidra 12.0.3 from the official NSA GitHub repository (https://github.com/NationalSecurityAgency/ghidra/releases). Uninstall the previous version before installing the patch to avoid conflicts. Analysts should verify the release signature and checksums against NSA's published hashes. If you operate in an air-gapped or restricted environment, obtain the installer offline and validate its integrity before deployment. No command-line flags or configuration changes are needed; the patch is transparent to end users.
Detection guidance
Monitor Ghidra process behavior for unexpected crashes or out-of-memory exceptions when processing binaries, especially those containing Rust-compiled code or suspicious symbol tables. Log file analysis in Ghidra's installation directory may show stack traces mentioning rust_demangle. Network indicators are absent (the vulnerability is local-only), but you can track patch adoption by querying version information from analyst workstations. Consider using osquery or similar EDR tools to inventory Ghidra versions across your organization.
Why prioritize this
Although the CVSS score is Medium (5.5), this vulnerability merits prompt attention for security teams conducting incident response or malware triage. An attacker could weaponize this to disrupt analysis of their own malware, potentially masking other indicators of compromise. For organizations in active threat hunts or handling high volumes of suspicious samples, availability disruption is operationally damaging. The patch is low-risk and widely tested, making it a straightforward priority for systems actively engaged in reverse engineering or analysis workflows.
Risk score, explained
The CVSS 3.1 score of 5.5 is assigned Medium severity due to the following vector components: Attack Vector Local (AV:L) restricts exploitation to local system access; Attack Complexity Low (AC:L) means no special setup is needed beyond a crafted binary; Privileges Required None (PR:N) means any user can trigger it; User Interaction Required (UI:R) limits autonomous exploitation; Scope Unchanged (S:U) confines impact to the affected process; and Availability is High (A:H), reflecting process crash and denial of service. Confidentiality and Integrity are None (C:N, I:N) because the vulnerability does not leak data or corrupt files.
Frequently asked questions
Can this vulnerability be exploited remotely over the network?
No. This is a local vulnerability requiring user interaction. An attacker cannot exploit it by sending a network packet or compromising a remote server. The malicious binary must be opened by a user in Ghidra on their local system. However, an attacker could distribute the malicious binary via email, malware samples sharing, or compromised repositories to maximize the chance it reaches an analyst.
Does the patch require a Ghidra restart or configuration change?
No configuration change is required. Simply uninstall Ghidra 12.0.2 or earlier and install version 12.0.3 or later. All bounds checking is built into the patched binary. Analysts can resume normal workflows immediately after upgrading without any special configuration steps.
What Rust binaries are most likely to trigger this crash?
Any binary compiled from Rust code can contain mangled symbol names that exercise the vulnerability. Attackers can craft deliberately pathological symbol names to maximize memory allocation. Even legitimate Rust binaries might contain complex generic symbols that happen to trigger the bug, but weaponized samples would be specifically designed to cause failure. The vulnerability is not limited to obfuscated or malicious Rust code; the flaw exists in the parsing function itself.
Are there any known exploits or public proof-of-concept code?
As of the published date (June 10, 2026), no active exploits or proof-of-concept code has been disclosed in the wild. The vulnerability was reported responsibly and patched before widespread public knowledge. However, security researchers could generate malicious symbol names based on the CVE description, so treat all untrusted binaries with caution even after you've patched.
This analysis is provided for informational purposes to support vulnerability management and risk prioritization. It does not constitute legal advice or a guarantee of patch effectiveness in all environments. Verify patch compatibility with your Ghidra deployment, plugins, and workflows before production rollout. While the technical details are based on the published CVE record, security teams should consult NSA's official advisory and release notes for authoritative patch information. This vulnerability is not currently tracked as actively exploited in the wild, but threats evolve; monitor official security channels and your organization's threat intelligence feeds for updates. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-52759MEDIUMGhidra Mach-O Parser Memory Exhaustion Denial of Service
- CVE-2026-41178MEDIUMOpenTelemetry-Go Baggage Parsing DoS Vulnerability
- CVE-2026-47319MEDIUMrlottie Memory Allocation Vulnerability – Denial of Service Risk
- CVE-2026-10142HIGHkafka-python Denial-of-Service in Protocol Parser
- CVE-2026-49975HIGHApache HTTP Server Memory Allocation DoS Vulnerability (2.4.17–2.4.67)
- CVE-2026-49495MEDIUMGhidra Denial of Service via Malicious Mach-O Export Trie
- CVE-2026-49496MEDIUMGhidra Heap-Use-After-Free in Sleigh Decompiler—Patch v12.1
- CVE-2026-52756MEDIUMGhidra IsfServer Path Traversal Vulnerability