CVE-2026-52757
Received Received - Intake
Heap Use After Free in Ghidra Decompiler

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: VulnCheck

Description
Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, reading and writing the flags field of freed heap memory when a user opens the binary in Ghidra's decompiler view.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-52757
EUVD
EUVD-2026-36016
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
national_security_agency ghidra to 12.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap-use-after-free issue in Ghidra's decompiler, specifically in the HighVariable::merge() function during the variable merging pass.

The problem arises when the mergeInternal() function deletes a HighVariable, but stale pointers remain in the HighIntersectTest::highedgemap cache. Later, when moveIntersectTests() is called, it dereferences these stale pointers, causing reads or writes to freed heap memory.

An attacker can exploit this by crafting a malicious binary that triggers this condition. When a user opens this binary in Ghidra's decompiler view, the vulnerability is triggered, potentially causing data corruption or crashes.

This issue affects Ghidra versions prior to 12.1, including 12.0.4 and certain master branch commits.

Impact Analysis

Exploiting this vulnerability can lead to reading and writing to freed heap memory, which may cause data corruption or application crashes when using Ghidra's decompiler.

Since the decompilation process runs as a native subprocess, opening a crafted malicious binary can trigger this vulnerability, potentially destabilizing the software or causing unexpected behavior.

The vulnerability has a moderate severity with a CVSS score around 4.4 to 4.6.

Detection Guidance

This vulnerability occurs when a user opens a specially crafted binary in Ghidra's decompiler view, triggering heap-use-after-free conditions in the HighVariable::merge() function. Detection involves monitoring for crashes or abnormal behavior in Ghidra during decompilation.

Since the issue is triggered by opening a malicious binary in Ghidra, network detection is not straightforward. Instead, detection should focus on the Ghidra environment itself.

Using AddressSanitizer (ASan) when running Ghidra can help detect heap-use-after-free errors by reporting memory corruption or invalid accesses during decompilation.

No specific commands are provided in the resources for detecting this vulnerability on a network or system.

Mitigation Strategies

The primary mitigation step is to upgrade Ghidra to version 12.1 or later, where this heap-use-after-free vulnerability has been fixed.

Avoid opening untrusted or suspicious binaries in Ghidra's decompiler view until the upgrade is applied.

Consider running Ghidra with AddressSanitizer enabled during analysis to detect potential memory corruption issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52757. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart