CVE-2026-49495

Analyzed Analyzed - Analysis Complete

Uncontrolled Resource Consumption in Ghidra via Malicious Mach-O Export Trie

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: VulnCheck

Description

Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-10

Last Modified

2026-06-11

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-29

NVD

CVE-2026-49495

EUVD

EUVD-2026-36004

Affected Vendors & Products

Vendor	Product	Version / Range
nsa	ghidra	From 10.2 (inc) to 12.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-835	The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

Executive Summary

CVE-2026-49495 is a vulnerability in Ghidra versions before 12.1 that affects the ExportTrie.parseTrie() method used to traverse Mach-O binary export tries.

The method uses a breadth-first search (BFS) without cycle detection, so if a crafted Mach-O binary contains circular references in its export trie, it causes an infinite loop.

This infinite loop leads to unbounded queue growth and exponential string concatenation, which rapidly consumes memory and triggers an OutOfMemoryError.

Because OutOfMemoryError extends Error and bypasses normal exception handlers, the entire Java Virtual Machine (JVM) crashes, causing loss of all unsaved work and open Ghidra projects.

The vulnerability affects both GUI and headless modes and can be triggered by opening a minimal crafted Mach-O binary file.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing the entire JVM running Ghidra.

When triggered, it results in an OutOfMemoryError that causes Ghidra to crash, leading to the loss of all unsaved work and open projects.

The impact is primarily on availability, as the software becomes unusable until restarted, and any unsaved analysis or data is lost.

An attacker can exploit this by providing a crafted Mach-O binary with circular references, requiring only local access and user interaction to open the file.

Detection Guidance

This vulnerability is triggered by opening a specially crafted Mach-O binary file in Ghidra versions 10.2 through 12.1. Detection involves identifying if such a crafted Mach-O binary with circular references in the export trie is present or being processed.

Since the issue causes unbounded queue growth and exponential string concatenation leading to an OutOfMemoryError and JVM crash, monitoring Ghidra's JVM logs for repeated OutOfMemoryError exceptions during Mach-O binary analysis can help detect exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

The immediate mitigation step is to upgrade Ghidra to version 12.1 or later, which includes a patch that adds cycle detection by tracking visited offsets in the ExportTrie.parseTrie() method.

Until the upgrade is applied, avoid opening untrusted or suspicious Mach-O binary files in affected Ghidra versions to prevent triggering the vulnerability.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Hi! I’m here to help you understand CVE-2026-49495. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70