CVE-2026-49496
Received Received - Intake
Heap-Use-After-Free in Ghidra Decompiler

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLEIGH library consumers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-49496
EUVD
EUVD-2026-36005
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
national_security_agency ghidra to 12.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49496 is a heap-use-after-free vulnerability in Ghidra versions before 12.1, specifically in the SleighBuilder::generatePointerAdd function. The issue occurs due to iterator invalidation when the PcodeCacher::allocateInstruction function reallocates a vector holding PcodeData objects. This reallocation frees the old buffer and invalidates pointers into it, but SleighBuilder::generatePointerAdd continues to use a raw pointer to the old buffer, leading to memory corruption.

Attackers can exploit this vulnerability by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, which triggers the use-after-free condition and causes memory corruption. This affects downstream consumers of the SLEIGH C++ backend library but does not impact the Ghidra Java interface.

Impact Analysis

This vulnerability can lead to memory corruption when processing malicious binaries, which may result in data integrity issues or system instability. Since it is a heap-use-after-free bug, it could potentially be exploited to cause crashes or unexpected behavior in applications using the affected SLEIGH C++ backend.

The CVSS scores indicate a medium to moderate severity, with impacts including limited integrity loss and high availability impact, meaning the system could become unreliable or unavailable during exploitation.

Detection Guidance

The vulnerability CVE-2026-49496 can be detected by monitoring the use of the Sleigh::oneInstruction C++ API when decompiling binaries, especially if malicious binaries are involved. Detection can be enhanced by using AddressSanitizer, which has been confirmed to identify this heap-use-after-free issue during testing.

Since this is a heap-use-after-free vulnerability triggered by iterator invalidation during vector reallocation in the SleighBuilder::generatePointerAdd function, running Ghidra with AddressSanitizer enabled on suspicious binaries can help detect memory corruption issues.

Specific commands are not provided in the resources, but a general approach would be to run Ghidra under AddressSanitizer or similar memory error detection tools while processing potentially malicious binaries through the Sleigh::oneInstruction API.

Mitigation Strategies

The immediate mitigation step is to update Ghidra to version 12.1 or later, where the heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd has been patched.

Avoid decompiling untrusted or malicious binaries using vulnerable versions of Ghidra prior to 12.1, especially through the Sleigh::oneInstruction C++ API.

If updating immediately is not possible, consider running Ghidra in a controlled environment with memory error detection tools like AddressSanitizer to monitor for exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart