Description
Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.
Published: 2026-06-10
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghidra versions 10.2 through 12.0 contain an uncontrolled resource consumption bug in the ExportTrie.parseTrie() routine. When a Mach‑O binary with circular references in its export trie is parsed, the algorithm grows an unbounded queue and performs exponential string concatenation. This leads to an OutOfMemoryError that crashes the Java Virtual Machine, terminating the analysis session and discarding any unsaved work. The weakness is a classic lack of resource limiting, classified as CWE‑835.

Affected Systems

The National Security Agency’s Ghidra platform, from version 10.2 up to 12.0, is affected. Versions 12.1 and later include the necessary cycle detection logic and are not vulnerable. Any deployment of Ghidra that loads user‑supplied or externally provided Mach‑O binaries using these affected releases is at risk.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity. No EPSS value is available, and the flaw is not listed in the CISA KEV catalog, indicating it is not yet known to be exploited in the wild. The effect is local; an attacker would need to supply a crafted Mach‑O binary to a user running Ghidra, causing an application crash. The vulnerability cannot be leveraged for remote code execution but can still disrupt analysis workflows when malicious or corrupt binary files are processed.

Generated by OpenCVE AI on June 10, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghidra to version 12.1 or later, which includes cycle detection in the export‑trie parser.
  • Configure Ghidra’s JVM options to limit the maximum heap size, reducing the impact of any out‑of‑memory conditions.
  • Restrict the use of external Mach‑O binaries by validating file integrity or providing a sandboxed import process before analysis.

Generated by OpenCVE AI on June 10, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.
Title Ghidra 10.2 < 12.1 - Denial of Service via Circular Reference in Mach-O Export Trie Parser
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-835
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T12:36:43.369Z

Reserved: 2026-05-31T11:54:34.993Z

Link: CVE-2026-49495

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:34.360

Modified: 2026-06-10T14:16:34.360

Link: CVE-2026-49495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:15:07Z

Weaknesses