Description
Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLEIGH library consumers.
Published: 2026-06-10
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghidra versions prior to 12.1 contain a heap-use-after-free flaw in SleighBuilder::generatePointerAdd due to iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. The condition allows attackers to corrupt memory by decompiling malicious binaries through the publicly exposed Sleigh::oneInstruction C++ API. Such memory corruption can lead to arbitrary code execution or other unintended behavior as it breaks the integrity of the program’s heap.

Affected Systems

The affected product is NSA’s Ghidra, all releases before 12.1, including any derivative consumers that rely on the Sleigh library and use the oneInstruction API to process binaries. If a system runs Ghidra 12.0 or earlier and accepts decompilation requests for external binaries, it is susceptible.

Risk and Exploitability

The CVSS score is 6.9, indicating moderate severity, and the vulnerability is not listed in CISA’s KEV catalog. The EPSS score is unavailable, but the lack of a known public exploit does not diminish the risk. The flaw is exploitable by an adversary who can supply malicious binaries to the Sleigh::oneInstruction interface, likely requiring local execution or remote API access. If the API is exposed, the memory corruption could be leveraged to gain control of the application or affect downstream SLEIGH consumers. The risk remains significant for systems that process untrusted binaries without proper isolation.

Generated by OpenCVE AI on June 10, 2026 at 14:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghidra to version 12.1 or later, which contains the fixed SleighBuilder logic.
  • Limit the use of the Sleigh::oneInstruction API to trusted binaries and restrict who can invoke the API.
  • Monitor Ghidra logs and crash reports for signs of heap corruption or abnormal termination and investigate any such incidents promptly.

Generated by OpenCVE AI on June 10, 2026 at 14:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLEIGH library consumers.
Title Ghidra < 12.1 - Heap-Use-After-Free in SleighBuilder::generatePointerAdd via Vector Reallocation
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-416
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T13:43:11.156Z

Reserved: 2026-05-31T11:54:34.993Z

Link: CVE-2026-49496

cve-icon Vulnrichment

Updated: 2026-06-10T13:42:09.516Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:34.497

Modified: 2026-06-10T15:16:40.200

Link: CVE-2026-49496

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T14:45:32Z

Weaknesses