CVE-2026-49495
Received Received - Intake
Uncontrolled Resource Consumption in Ghidra via Malicious Mach-O Export Trie

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-49495
EUVD
EUVD-2026-36004
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nationalsecurityagency ghidra 10.2
nationalsecurityagency ghidra From 10.2 (inc) to 12.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49495 is a vulnerability in Ghidra versions before 12.1 that affects the ExportTrie.parseTrie() method used to traverse Mach-O binary export tries.

The method uses a breadth-first search (BFS) without cycle detection, so if a crafted Mach-O binary contains circular references in its export trie, it causes an infinite loop.

This infinite loop leads to unbounded queue growth and exponential string concatenation, which rapidly consumes memory and triggers an OutOfMemoryError.

Because OutOfMemoryError extends Error and bypasses normal exception handlers, the entire Java Virtual Machine (JVM) crashes, causing loss of all unsaved work and open Ghidra projects.

The vulnerability affects both GUI and headless modes and can be triggered by opening a minimal crafted Mach-O binary file.

Impact Analysis

This vulnerability can cause a denial-of-service (DoS) condition by crashing the entire JVM running Ghidra.

When triggered, it results in an OutOfMemoryError that causes Ghidra to crash, leading to the loss of all unsaved work and open projects.

The impact is primarily on availability, as the software becomes unusable until restarted, and any unsaved analysis or data is lost.

An attacker can exploit this by providing a crafted Mach-O binary with circular references, requiring only local access and user interaction to open the file.

Detection Guidance

This vulnerability is triggered by opening a specially crafted Mach-O binary file in Ghidra versions 10.2 through 12.1. Detection involves identifying if such a crafted Mach-O binary with circular references in the export trie is present or being processed.

Since the issue causes unbounded queue growth and exponential string concatenation leading to an OutOfMemoryError and JVM crash, monitoring Ghidra's JVM logs for repeated OutOfMemoryError exceptions during Mach-O binary analysis can help detect exploitation attempts.

There are no specific commands provided in the resources to detect this vulnerability directly on a network or system.

Mitigation Strategies

The immediate mitigation step is to upgrade Ghidra to version 12.1 or later, which includes a patch that adds cycle detection by tracking visited offsets in the ExportTrie.parseTrie() method.

Until the upgrade is applied, avoid opening untrusted or suspicious Mach-O binary files in affected Ghidra versions to prevent triggering the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49495. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart