CVE-2026-52757: Ghidra Heap-Use-After-Free in Decompiler
Ghidra, the National Security Agency's widely-used reverse-engineering and binary analysis platform, contains a memory safety bug in its decompiler. When a specially crafted binary file is opened in Ghidra's decompiler view, the application can access memory that has already been freed, potentially corrupting data or crashing the program. An attacker would need to distribute a malicious binary and convince a user to analyze it in Ghidra—the vulnerability itself does not allow remote code execution or network-based attacks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.4 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
- Weaknesses (CWE)
- CWE-416
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-07-14
NVD description (verbatim)
Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, reading and writing the flags field of freed heap memory when a user opens the binary in Ghidra's decompiler view.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-52757 is a heap-use-after-free vulnerability (CWE-416) in Ghidra's decompiler module, specifically within the HighVariable::merge() function during the variable merging optimization pass. The defect occurs when stale pointers stored in the HighIntersectTest::highedgemap cache are dereferenced without validation, allowing reads and writes to the flags field of previously freed heap memory. This memory safety issue is triggered when a user opens a maliciously crafted binary file in the decompiler UI, making it dependent on user interaction to activate.
Business impact
For organizations using Ghidra as part of malware analysis, vulnerability research, or security assessment workflows, this vulnerability introduces operational risk. A compromised analysis session could yield incorrect decompilation output, potentially leading to missed security findings or misclassification of malware behavior. In high-security environments where binary analysis directly informs threat intelligence or patch prioritization, data corruption could cascade into downstream decisions. The vulnerability is not remotely exploitable and requires user action, limiting its direct impact on infrastructure.
Affected systems
Ghidra versions prior to 12.1 are affected. Organizations running Ghidra 12.0 or earlier—particularly those performing regular malware triage, reverse engineering, or security research—should assess their exposure. The vulnerability is specific to Ghidra and does not affect other reverse-engineering tools or platforms, though cross-tool adoption varies widely across security teams.
Exploitability
Exploitation requires an attacker to craft a specialized binary file and either deliver it to a target analyst or place it where one might discover and analyze it. The CVSS score of 4.4 (Medium) reflects the local attack surface and mandatory user interaction. There is no unauthenticated remote exploitation path, no privilege escalation vector, and no confidentiality impact—the defect causes integrity and availability issues only. This is a classic user-interaction-dependent vulnerability with limited real-world weaponization incentive outside targeted scenarios.
Remediation
Upgrade Ghidra to version 12.1 or later. The patch addresses the memory management issue in the variable merging pass. Organizations should verify patch availability through the NSA's official Ghidra release channels and test compatibility with existing scripts or plugins before production deployment. For teams unable to patch immediately, restricting analysis of untrusted binaries to sandboxed or air-gapped Ghidra instances reduces risk.
Patch guidance
Verify that Ghidra 12.1 or a later version is available from the official NSA Ghidra repository or your organization's software distribution channel. Apply the update during a maintenance window, as Ghidra decompiler updates rarely require system-level changes. Test any custom Ghidra extensions or analysis scripts post-upgrade to ensure compatibility. The patch does not require configuration changes or system reboot.
Detection guidance
Monitor for unexpected Ghidra process crashes or terminal output when opening binary files in the decompiler view, as these may indicate exploitation or attempted triggering of the vulnerability. Log analysis tools should flag abnormal Ghidra behavior tied to file access. Network-based detection is not applicable since the attack is entirely local. Consider alerting on the presence of Ghidra versions older than 12.1 via software inventory or endpoint detection tools. Forensic analysis of Ghidra's temporary analysis files may reveal evidence of malformed binaries processed prior to a crash.
Why prioritize this
Although the CVSS score is Medium (4.4), prioritize patching within standard maintenance windows rather than as an emergency. The vulnerability requires user interaction, affects a specialized tool with a defined user base, and offers no remote exploitation path. However, organizations actively performing binary analysis of untrusted or adversary-supplied samples should patch sooner, as the attack vector aligns directly with their threat model. For general enterprise environments without active reverse-engineering operations, this is a routine update rather than a critical priority.
Risk score, explained
The CVSS 3.1 score of 4.4 reflects a local-only attack vector (AV:L), low attack complexity (AC:L), no privilege requirements (PR:N), and mandatory user interaction (UI:R). Scope is unchanged (S:U), with no confidentiality impact (C:N) but both integrity and availability degradation possible (I:L, A:L). The score appropriately captures the limited threat landscape: while the technical flaw is real, its practical risk is constrained by the need to deliver a crafted binary and persuade a user to open it in a specific tool.
Frequently asked questions
Can this vulnerability be exploited remotely or over the network?
No. CVE-2026-52757 is a local vulnerability that requires an attacker to place a malicious binary where a user will open it in Ghidra's decompiler. There is no remote code execution, network propagation, or vulnerability in Ghidra's server or update mechanisms.
What happens if the vulnerability is exploited?
The vulnerability causes a heap-use-after-free, which can lead to memory corruption and program crashes. An attacker cannot directly read sensitive data or execute arbitrary code; however, data corruption during decompilation could produce incorrect analysis results, potentially causing an analyst to misclassify malware or miss critical indicators.
Do I need to patch immediately?
If your organization uses Ghidra regularly to analyze untrusted binaries, patch during your next scheduled maintenance window—within days to weeks, not months. If Ghidra is rarely used or only analyzes trusted code, patching can be coordinated with broader update cycles. There are no known public exploits or active KEV status as of the advisory date.
Are there workarounds if I cannot patch right away?
Yes. Limit analysis of potentially malicious or untrusted binaries to isolated, air-gapped systems running Ghidra. Avoid opening binaries from unknown or untrusted sources in the decompiler view until patched. Static analysis tools that do not rely on Ghidra's decompiler can serve as temporary alternatives for threat assessment.
This analysis is provided for informational purposes and reflects the vulnerability state as of the publication date. CVSS scores, patch versions, and vendor advisories are subject to change; verify all technical details against the NSA's official Ghidra releases and security advisories before deployment decisions. This document does not constitute legal or compliance advice. Organizations should conduct their own risk assessments based on their use of Ghidra, their analysis workflows, and their threat landscape. SEC.co does not host or distribute patches; download updates only from official NSA Ghidra repositories. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-49496MEDIUMGhidra Heap-Use-After-Free in Sleigh Decompiler—Patch v12.1
- CVE-2025-60486MEDIUMHeap Use-After-Free in GPAC MP4Box MPEG-2 Dasher – DoS Vulnerability
- CVE-2026-10232MEDIUMAssimp Use-After-Free in ASE Parser (CVSS 5.3)
- CVE-2026-10703MEDIUMUse-After-Free in EIPStackGroup OpENer Remote Code Execution Risk
- CVE-2026-11073MEDIUMChrome WebGL Use-After-Free Information Disclosure
- CVE-2026-11208MEDIUMUse-After-Free in Chrome Codecs – Information Disclosure Vulnerability
- CVE-2026-11249MEDIUMChrome Use-After-Free Information Disclosure Vulnerability
- CVE-2026-11623MEDIUMUse-After-Free in tmux 3.6a Image Handling – MEDIUM Severity