Description
Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order that causes iteration over deallocated memory.
Published: 2026-06-10
Score: 2.1 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghidra releases before version 11.2 suffer from a use‑after‑free flaw in the Sleigh backend. The vulnerability arises from an undefined static initialization order between the SleighArchitecture::translators and XmlArchitectureCapability singletons. When the application shuts down, this unsafe destruction order causes an iteration over deallocated memory, which can trigger an infinite loop or a crash. The flaw is a classic use‑after‑free weakness (CWE‑758) and results in availability loss for the affected system.

Affected Systems

The National Security Agency’s Ghidra reverse‑engineering suite, specifically any release earlier than 11.2, is impacted. The flaw is present in all platforms supported by Ghidra, as the unsafe static initialization is part of the core C++ code and not platform‑specific.

Risk and Exploitability

The CVSS score of 2.1 indicates a low severity level, and the exploitation probability (EPSS) is not available. The vulnerability is not listed in CISA’s KEV catalog. The memory corruption can only be triggered during the shutdown phase of the application, implying that an attacker must have the ability to run and terminate Ghidra locally. As such, the risk is confined to availability for local users, with no known remote exploitation path.

Generated by OpenCVE AI on June 10, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Ghidra 11.2 or later, which removes the static initialization order bug.
  • If an upgrade is not immediately possible, avoid terminating Ghidra until after any long‑running analysis tasks complete, to reduce the chance of hitting the unsafe shutdown path.
  • Review and modify any custom plugins or scripts that interact with Ghidra’s Sleigh backend to ensure proper initialization and cleanup, mitigating the risk of further use‑after‑free scenarios.

Generated by OpenCVE AI on June 10, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order that causes iteration over deallocated memory.
Title Ghidra < 11.2 - Use After Free in Sleigh Backend via Static Initialization Order
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-758
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T13:51:17.257Z

Reserved: 2026-06-08T15:20:35.496Z

Link: CVE-2024-58350

cve-icon Vulnrichment

Updated: 2026-06-10T13:51:14.299Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:28.893

Modified: 2026-06-10T14:16:28.893

Link: CVE-2024-58350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T14:45:32Z

Weaknesses