Description
Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, reading and writing the flags field of freed heap memory when a user opens the binary in Ghidra's decompiler view.
Published: 2026-06-10
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Ghidra before version 12.1 contains a heap-use-after-free flaw in the HighVariable::merge() routine that can be triggered by a crafted binary opened in the decompiler view. The bug causes stale pointers in a cache to be dereferenced, allowing an attacker to read or write the flags field of freed memory. This memory corruption can lead to unpredictable program behavior, including potential arbitrary code execution locally if an attacker controls the binary being decompiled.

Affected Systems

The National Security Agency’s Ghidra decompiler software is affected on all releases prior to 12.1. Users who run any older version of Ghidra and open untrusted binaries in the decompiler are at risk.

Risk and Exploitability

The CVSS score of 4.6 indicates moderate severity. Exploitation requires a user to load a malicious binary, so remote attackers cannot trivially trigger the flaw; however, local attackers or those with privileged access to the system can abuse it. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting it is not widely exploited yet.

Generated by OpenCVE AI on June 10, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Ghidra to version 12.1 or later to eliminate the heap-use-after-free bug
  • If an update is not immediately possible, avoid opening untrusted binaries in the decompiler or disable the decompiler feature until a patch is applied
  • Monitor for abnormal crashes or memory corruption signs in Ghidra, and limit user privileges to read‑only when analyzing external binaries

Generated by OpenCVE AI on June 10, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, reading and writing the flags field of freed heap memory when a user opens the binary in Ghidra's decompiler view.
Title Ghidra < 12.1 - Heap-use-after-free in HighVariable::merge() during decompilation
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-416
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L'}

cvssV4_0

{'score': 4.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T12:42:01.080Z

Reserved: 2026-06-08T15:20:09.274Z

Link: CVE-2026-52757

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:36.027

Modified: 2026-06-10T14:16:36.027

Link: CVE-2026-52757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:00:13Z

Weaknesses