CVE-2026-49496
Analyzed Analyzed - Analysis Complete

Heap-Use-After-Free in Ghidra Decompiler

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: VulnCheck

Description
Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLEIGH library consumers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-49496
EUVD
EUVD-2026-36005

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nsa ghidra to 12.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49496 is a heap-use-after-free vulnerability in Ghidra versions before 12.1, specifically in the SleighBuilder::generatePointerAdd function. The issue occurs due to iterator invalidation when the PcodeCacher::allocateInstruction function reallocates a vector holding PcodeData objects. This reallocation frees the old buffer and invalidates pointers into it, but SleighBuilder::generatePointerAdd continues to use a raw pointer to the old buffer, leading to memory corruption.

Attackers can exploit this vulnerability by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, which triggers the use-after-free condition and causes memory corruption. This affects downstream consumers of the SLEIGH C++ backend library but does not impact the Ghidra Java interface.

Impact Analysis

This vulnerability can lead to memory corruption when processing malicious binaries, which may result in data integrity issues or system instability. Since it is a heap-use-after-free bug, it could potentially be exploited to cause crashes or unexpected behavior in applications using the affected SLEIGH C++ backend.

The CVSS scores indicate a medium to moderate severity, with impacts including limited integrity loss and high availability impact, meaning the system could become unreliable or unavailable during exploitation.

Detection Guidance

The vulnerability CVE-2026-49496 can be detected by monitoring the use of the Sleigh::oneInstruction C++ API when decompiling binaries, especially if malicious binaries are involved. Detection can be enhanced by using AddressSanitizer, which has been confirmed to identify this heap-use-after-free issue during testing.

Since this is a heap-use-after-free vulnerability triggered by iterator invalidation during vector reallocation in the SleighBuilder::generatePointerAdd function, running Ghidra with AddressSanitizer enabled on suspicious binaries can help detect memory corruption issues.

Specific commands are not provided in the resources, but a general approach would be to run Ghidra under AddressSanitizer or similar memory error detection tools while processing potentially malicious binaries through the Sleigh::oneInstruction API.

Mitigation Strategies

The immediate mitigation step is to update Ghidra to version 12.1 or later, where the heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd has been patched.

Avoid decompiling untrusted or malicious binaries using vulnerable versions of Ghidra prior to 12.1, especially through the Sleigh::oneInstruction C++ API.

If updating immediately is not possible, consider running Ghidra in a controlled environment with memory error detection tools like AddressSanitizer to monitor for exploitation attempts.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-49496 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49496. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart