Description
Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes untrusted objects using a Jython 2.7.4 gadget chain to execute arbitrary commands.
Published: 2026-06-10
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghidra versions prior to 12.1 contain an unsafe deserialization flaw in the client‑side Shared‑Project RMI connection code. The flaw lets an attacker craft a malicious project file that contains a ghidra:// URL. When a user opens the file through File → Open Project, the application deserializes untrusted objects via a Jython 2.7.4 gadget chain, allowing execution of arbitrary commands with the privileges of the user running Ghidra.

Affected Systems

The vulnerability affects the National Security Agency’s Ghidra product on all operating systems where the software is installed, specifically any release before version 12.1.

Risk and Exploitability

The CVSS score of 8.6 indicates a high‑severity risk. Because the flaw can be triggered simply by opening a crafted project file, no authentication is required and the attack can be performed by any user who can run Ghidra. The vulnerability is not currently listed in the CISA KEV catalog and its EPSS score is not available, but the ease of exploitation suggests a realistic risk for environments where Ghidra is used to analyze untrusted code.

Generated by OpenCVE AI on June 10, 2026 at 14:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Ghidra 12.1 or later to address the deserialization vulnerability.
  • If an upgrade cannot be performed immediately, remove or disable the Shared‑Project RMI connection feature to prevent deserialization of untrusted objects until a patch is available.
  • Verify that only trusted project files are opened and avoid executing Ghidra on files from unknown or unverified sources.

Generated by OpenCVE AI on June 10, 2026 at 14:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes untrusted objects using a Jython 2.7.4 gadget chain to execute arbitrary commands.
Title Ghidra < 12.1 - Remote Code Execution via Unfiltered RMI Deserialization in Shared Project Connection
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-502
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T14:15:58.946Z

Reserved: 2026-06-08T15:20:09.274Z

Link: CVE-2026-52751

cve-icon Vulnrichment

Updated: 2026-06-10T14:12:08.038Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:35.187

Modified: 2026-06-10T14:16:35.187

Link: CVE-2026-52751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:00:13Z

Weaknesses