SQL Injection in Ghidra BSim Filter Types

Compliance Impact

The SQL injection vulnerability in Ghidra's BSim filter types allows remote attackers to read, modify, or delete data in the PostgreSQL database. This unauthorized access and potential data manipulation can lead to breaches of confidentiality, integrity, and availability of sensitive data.

Such breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and alteration.

Therefore, if exploited, this vulnerability could result in violations of these regulations due to compromised data security controls.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-52758 is a SQL injection vulnerability in the Ghidra software's BSim Search feature affecting versions before 12.1. The vulnerability occurs because certain BSim filter types concatenate user-supplied values directly into SQL queries without proper escaping or parameterization.

This flaw allows remote attackers with network access to the BSim server to inject malicious SQL code via the BSim network query protocol.

As a result, attackers can read, modify, or delete data in the PostgreSQL database used by BSim.

The vulnerability is due to unescaped filter values in classes such as ExecutableNameBSimFilterType, PathStartsBSimFilterType, and NotExecutableNameBSimFilterType, where user input from XML protocol messages is directly appended to SQL queries.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have a significant impact by allowing remote attackers to execute arbitrary SQL commands on the BSim PostgreSQL database.

• Attackers can read sensitive data stored in the database, compromising confidentiality.
• They can modify data, affecting data integrity.
• They can delete data, impacting availability.

Because the attack vector is network-based and requires low complexity, the risk of exploitation is high.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Ghidra to version 12.1 or later, where the SQL injection issue in the BSim search functionality has been fixed.

Avoid using vulnerable versions (11.0 through 12.0) of Ghidra in environments where untrusted users have network access to the BSim server.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves SQL injection via the BSim network query protocol in Ghidra versions prior to 12.1. Detection can focus on monitoring network traffic for suspicious or malformed BSim protocol messages that include unescaped or unusual SQL-like payloads.

Since the vulnerability is exploited by injecting SQL commands through the BSim network queries, one approach is to capture and analyze network packets to the Ghidra BSim service for unexpected SQL syntax or injection patterns.

Specific commands to detect potential exploitation attempts might include using network packet capture and inspection tools such as tcpdump or Wireshark to filter traffic on the relevant ports used by Ghidra's BSim service.

• Use tcpdump to capture traffic on the BSim port (replace <port> with actual port): tcpdump -i <interface> port <port> -w bsim_traffic.pcap
• Analyze captured traffic with Wireshark or tshark to look for suspicious SQL keywords or injection patterns in BSim protocol messages.
• Search logs or network captures for typical SQL injection payloads such as ' OR '1'='1', UNION SELECT, or other SQL control characters within BSim queries.

Additionally, verifying the Ghidra version in use and ensuring it is updated to 12.1 or later is a critical step to mitigate this vulnerability.

Useful 0 Not Useful 0