MEDIUM 5.5

CVE-2026-52759: Ghidra Mach-O Parser Memory Exhaustion Denial of Service

Ghidra, the NSA's popular reverse-engineering framework, contains a vulnerability in how it processes Mach-O binary files (the executable format used by macOS and iOS). An attacker can craft a malicious binary with an invalid instruction count that tricks Ghidra into allocating enormous amounts of memory, exhausting system resources and crashing the application. This requires local access and user interaction—someone must open the malicious binary in Ghidra—but the impact is a reliable denial of service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.5 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-789
Affected products
1 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause denial of service. An attacker can supply a crafted Mach-O binary with an arbitrarily large ncmds load command count value, forcing the parser to allocate excessive heap memory without validating file size, crashing the Ghidra JVM.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-52759 is an uncontrolled memory allocation flaw in Ghidra's Mach-O parser triggered by a specially crafted ncmds load command count field. The parser fails to validate the relationship between the stated command count and the actual file size before allocating heap memory proportional to that count. An attacker can set ncmds to an arbitrarily large value, causing the JVM to attempt massive allocations without bounds checking, resulting in out-of-memory exceptions and process termination. The vulnerability exists in Ghidra versions prior to 12.1.1 and is classified under CWE-789 (Uncontrolled Allocation of Resources with Excessive Size Value).

Business impact

For security teams and threat analysts using Ghidra as a primary reverse-engineering tool, this vulnerability creates an availability risk. Malicious samples or files crafted by adversaries could be weaponized to crash Ghidra during analysis sessions, disrupting incident response workflows, malware triage, and binary analysis activities. In environments where Ghidra is integrated into automated analysis pipelines, crafted files could cause silent process failures. The vulnerability does not expose sensitive data or allow code execution, limiting its business severity to operational disruption rather than data breach or system compromise.

Affected systems

Ghidra versions before 12.1.1 are affected. The vulnerability is specific to the Mach-O binary parser and therefore primarily impacts users analyzing iOS, macOS, or other Mach-O format binaries. However, since Ghidra is often used in cross-platform malware analysis and threat research, the exposure may be broader than macOS-only reverse-engineering shops. Any security organization or researcher using Ghidra to examine binaries is potentially affected if they process untrusted input.

Exploitability

Exploitability is moderate. The attack vector is local (AV:L) with no special privileges required (PR:N), but it does require user interaction (UI:R)—the victim must open or process a crafted Mach-O binary within Ghidra. This is a realistic scenario in threat analysis environments where analysts examine suspicious files. The barrier to exploitation is low; crafting a malicious Mach-O with an inflated ncmds value requires only binary manipulation skills, not sophisticated reverse-engineering. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities catalog, suggesting limited public weaponization at this time, though the simplicity of the attack means threat actors could develop exploits rapidly.

Remediation

Upgrade Ghidra to version 12.1.1 or later. This version includes validation logic in the Mach-O parser that checks the ncmds value against the file size and available data before allocating memory. Organizations should prioritize this update for workstations and analysis infrastructure that regularly process potentially untrusted binaries. No workarounds are available short of avoiding analysis of untrusted Mach-O files or using alternative reverse-engineering tools.

Patch guidance

Ghidra is available as a standalone application and via package managers on supported platforms. Upgrade to 12.1.1 or newer by downloading from the official NSA Ghidra project repository or verifying the patch version in your distribution channel. If you manage Ghidra deployments across multiple analysts or integrate it into CI/CD pipelines, prioritize updates to shared analysis infrastructure. Verify the upgrade by checking Ghidra's Help > About menu or running 'ghidra --version' from the command line to confirm the installed version meets or exceeds 12.1.1.

Detection guidance

Monitor Ghidra process resource usage and crashes. Unexpected JVM out-of-memory exceptions or sudden Ghidra terminations when processing Mach-O files may indicate exploitation attempts. If you have endpoint detection tools, flag high memory allocation spikes followed by process termination in Ghidra. Review file submission logs in your analysis infrastructure for files with suspicious Mach-O headers (particularly abnormally large ncmds values). Endpoint logging of Ghidra crashes combined with file context can help identify coordinated attacks. Note that normal Ghidra operation may occasionally allocate significant memory, so correlate crashes with newly processed files to distinguish incidents from routine errors.

Why prioritize this

This vulnerability merits timely but not emergency patching. The CVSS score of 5.5 (Medium) reflects the local, user-interaction requirement and absence of confidentiality or integrity impact. However, the operational impact on security teams is non-trivial—analysts depend on Ghidra for reliable malware analysis. Prioritize patching for workstations and systems that regularly analyze external or untrusted binaries, particularly in threat intelligence and incident response roles. Development and research teams using Ghidra on controlled samples can defer patching slightly longer, though update within 30 days remains advisable.

Risk score, explained

The CVSS 3.1 base score of 5.5 reflects a Medium severity. Attack Vector (Local) and lack of privilege escalation potential cap the score, as do the absence of confidentiality or integrity impacts. However, the High availability impact (A:H) and the realistic user-interaction scenario (opening a file during analysis) justify elevation above minor severity. In contexts where Ghidra is mission-critical for incident response or threat analysis, the operational availability impact may warrant treating this as higher priority than the base CVSS suggests, particularly if threat intelligence indicates active exploitation in your threat landscape.

Frequently asked questions

Can this vulnerability be exploited remotely or only locally?

Only locally. The attacker must supply a crafted Mach-O file that the victim opens in Ghidra. Remote exploitation is not possible unless an attacker can trick a user into downloading and opening a malicious file, which depends on social engineering rather than network propagation.

Does this vulnerability allow attackers to steal data or execute code?

No. The vulnerability causes only a denial of service by exhausting memory and crashing Ghidra. There is no code execution, no data exfiltration, and no persistence. The impact is limited to disrupting analysis workflows.

Why does this affect security teams analyzing macOS malware but not Windows malware?

Mach-O is the binary format used by macOS and iOS. Ghidra's Mach-O parser is only invoked when analyzing files in that format. If you analyze PE (Windows) or ELF (Linux) binaries, the vulnerable Mach-O parser code path is not triggered, so the vulnerability does not apply.

If I cannot patch immediately, what can I do to reduce risk?

Limit analysis of untrusted Mach-O files to isolated test environments or sandboxes separate from critical systems. Disable automated analysis pipelines that process external Mach-O files until patched. Be cautious when opening suspicious or newly discovered macOS samples in Ghidra. These are temporary mitigations; patching should remain the primary goal.

This analysis is provided for informational purposes to support vulnerability management and security decision-making. The vulnerability details, patch status, and CVSS score reflect publicly available information as of the published date. Patch versions and affected product ranges must be verified against the official NSA Ghidra project advisory. Organizations should conduct their own risk assessment based on their specific Ghidra usage patterns, the sensitivity of analyzed binaries, and their incident response capabilities. SEC.co does not provide legal, compliance, or liability advice. Consult your vendor's security bulletins and your organization's patch management policies for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).