Description
Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause denial of service. An attacker can supply a crafted Mach-O binary with an arbitrarily large ncmds load command count value, forcing the parser to allocate excessive heap memory without validating file size, crashing the Ghidra JVM.
Published: 2026-06-10
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an uncontrolled memory allocation in the Mach‑O parser, allowing an attacker to supply a crafted binary with an extremely large ncmds load‑command count. The parser then allocates memory proportional to that count without validating the actual file size, causing the Ghidra JVM to run out of memory and terminate. The weakness is defined as CWE‑789 and results in a denial of service of the Ghidra analysis session.

Affected Systems

All Ghidra releases prior to version 12.1.1 are affected. Users running Ghidra 12.0 or earlier must update to 12.1.1 or later to eliminate the flaw.

Risk and Exploitability

The CVSS score of 6.7 indicates a medium severity risk, with no EPSS data available and no inclusion in the CISA KEV catalog, suggesting current exploitation is low but the vulnerability could be targeted in environments that routinely process user‑supplied binaries. The likely attack vector is a local or remote user that can supply a malicious Mach‑O file to Ghidra, perhaps via an automated analysis pipeline, causing the application to crash and deny service to legitimate users.

Generated by OpenCVE AI on June 10, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ghidra to version 12.1.1 or later.
  • If an upgrade is not immediately feasible, validate incoming Mach‑O files for a reasonable ncmds count before opening them in Ghidra.
  • Run Ghidra in a controlled environment such as a sandbox or isolated analysis server, and monitor for repeated crashes to prevent service disruption.

Generated by OpenCVE AI on June 10, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause denial of service. An attacker can supply a crafted Mach-O binary with an arbitrarily large ncmds load command count value, forcing the parser to allocate excessive heap memory without validating file size, crashing the Ghidra JVM.
Title Ghidra < 12.1.1 - Denial of Service via Uncontrolled Memory Allocation in Mach-O Parser
First Time appeared Nsa
Nsa ghidra
Weaknesses CWE-789
CPEs cpe:2.3:a:nsa:ghidra:*:*:*:*:*:*:*:*
Vendors & Products Nsa
Nsa ghidra
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Nsa Ghidra
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T14:46:25.860Z

Reserved: 2026-06-08T15:20:09.274Z

Link: CVE-2026-52759

cve-icon Vulnrichment

Updated: 2026-06-10T14:46:11.070Z

cve-icon NVD

Status : Received

Published: 2026-06-10T14:16:36.307

Modified: 2026-06-10T14:16:36.307

Link: CVE-2026-52759

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:00:13Z

Weaknesses