CVE-2026-52757

Analyzed Analyzed - Analysis Complete

Heap Use After Free in Ghidra Decompiler

Publication date: 2026-06-10

Last updated on: 2026-06-12

Assigner: VulnCheck

Description

Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, reading and writing the flags field of freed heap memory when a user opens the binary in Ghidra's decompiler view.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-10

Last Modified

2026-06-12

Generated

2026-06-30

AI Q&A

2026-06-10

EPSS Evaluated

2026-06-29

NVD

CVE-2026-52757

EUVD

EUVD-2026-36016

Affected Vendors & Products

Vendor	Product	Version / Range
nsa	ghidra	to 12.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-416	The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

Executive Summary

This vulnerability is a heap-use-after-free issue in Ghidra's decompiler, specifically in the HighVariable::merge() function during the variable merging pass.

The problem arises when the mergeInternal() function deletes a HighVariable, but stale pointers remain in the HighIntersectTest::highedgemap cache. Later, when moveIntersectTests() is called, it dereferences these stale pointers, causing reads or writes to freed heap memory.

An attacker can exploit this by crafting a malicious binary that triggers this condition. When a user opens this binary in Ghidra's decompiler view, the vulnerability is triggered, potentially causing data corruption or crashes.

This issue affects Ghidra versions prior to 12.1, including 12.0.4 and certain master branch commits.

Impact Analysis

Exploiting this vulnerability can lead to reading and writing to freed heap memory, which may cause data corruption or application crashes when using Ghidra's decompiler.

Since the decompilation process runs as a native subprocess, opening a crafted malicious binary can trigger this vulnerability, potentially destabilizing the software or causing unexpected behavior.

The vulnerability has a moderate severity with a CVSS score around 4.4 to 4.6.

Detection Guidance

This vulnerability occurs when a user opens a specially crafted binary in Ghidra's decompiler view, triggering heap-use-after-free conditions in the HighVariable::merge() function. Detection involves monitoring for crashes or abnormal behavior in Ghidra during decompilation.

Since the issue is triggered by opening a malicious binary in Ghidra, network detection is not straightforward. Instead, detection should focus on the Ghidra environment itself.

Using AddressSanitizer (ASan) when running Ghidra can help detect heap-use-after-free errors by reporting memory corruption or invalid accesses during decompilation.

No specific commands are provided in the resources for detecting this vulnerability on a network or system.

Mitigation Strategies

The primary mitigation step is to upgrade Ghidra to version 12.1 or later, where this heap-use-after-free vulnerability has been fixed.

Avoid opening untrusted or suspicious binaries in Ghidra's decompiler view until the upgrade is applied.

Consider running Ghidra with AddressSanitizer enabled during analysis to detect potential memory corruption issues.

Hi! I’m here to help you understand CVE-2026-52757. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70