National Security Agency's Ghidra: 15 Vulnerabilities Disclosed on June 10, 2026
Fifteen vulnerabilities affecting the NSA's Ghidra reverse engineering tool were disclosed on June 10, 2026, ranging in severity from low to high.
Key findings
- Fifteen vulnerabilities in NSA's Ghidra disclosed on June 10, 2026, with severities ranging from low to high.
- Multiple path traversal flaws impact file system operations and can lead to code execution.
- SQL injection vulnerabilities exist in database interaction and password change functionalities.
- Unsafe deserialization and memory corruption issues present risks for remote code execution and denial of service.
- Affected versions span from Ghidra 10.2 up to, but not including, 12.1.1, with most fixed in 12.1 or later releases.
On June 10, 2026, a significant batch of fifteen vulnerabilities was disclosed for the National Security Agency's (NSA) Ghidra reverse engineering software. These vulnerabilities, all disclosed on the same day, span a range of severity levels, from low to high, impacting various components and functionalities of the tool. The disclosures highlight potential risks for users who analyze software with Ghidra, particularly those handling untrusted binaries or connecting to shared projects.
Several vulnerabilities relate to improper handling of binary parsing and file operations. CVE-2026-52759, a medium-severity vulnerability, stems from an uncontrolled memory allocation in the Mach-O binary parser, which could lead to a denial of service when processing crafted binaries with excessive load command counts. Similarly, CVE-2026-52753, also medium severity, involves an out-of-memory vulnerability in the rust_demangle function due to unbounded output buffer allocations, triggered by malicious Rust symbol names. Another medium-severity issue, CVE-2026-49495, concerns uncontrolled resource consumption in ExportTrie.parseTrie() within the Mach-O export trie parsing, potentially leading to denial of service through unbounded queue growth and string concatenation.
Path traversal vulnerabilities represent another notable category within this disclosure batch. CVE-2026-52756 (medium severity) affects the IsfServer, allowing remote attackers to perform unauthenticated path traversal via crafted protobuf messages. CVE-2026-52755 (high severity) impacts the theme import functionality, enabling attackers to write files outside intended directories by crafting malicious theme ZIP files, potentially leading to arbitrary code execution. CVE-2026-52752 (high severity) is an extension installer vulnerability where ZIP entry names are not validated, allowing attackers to write arbitrary files and achieve code execution. Lastly, CVE-2026-49497 (low severity) involves path traversal in SameDirDebugInfoProvider, which could be used to probe filesystem existence and leak CRC32 hashes of arbitrary files.
Security flaws related to memory corruption and unsafe deserialization also feature prominently. CVE-2026-52757 (medium severity) is a heap-use-after-free vulnerability in the decompiler's variable merging pass, triggered by crafting binaries that cause stale pointers to be dereferenced. CVE-2026-49496 (medium severity) is another heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd due to iterator invalidation, leading to memory corruption when decompiling malicious binaries. A critical high-severity vulnerability, CVE-2026-52751, involves unsafe deserialization in client-side Shared-Project RMI connection code, allowing unauthenticated remote code execution via crafted project files with malicious ghidra:// URLs.
Several vulnerabilities directly impact data integrity and access control through SQL injection and authentication bypass. CVE-2026-52758 (high severity) is a SQL injection vulnerability in BSim filter types, allowing remote attackers to manipulate data in the PostgreSQL database via the BSim network query protocol. CVE-2026-49498 (high severity) is another SQL injection flaw in PostgresFunctionDatabase::changePassword(), where unescaped double quotes in usernames can lead to SQL command injection. CVE-2026-52754 (high severity) presents an authentication bypass in PKIAuthenticationModule.authenticate(), enabling users with valid CA-signed certificates to impersonate others and escalate privileges.
Command injection and other resource consumption issues round out the disclosed vulnerabilities. CVE-2026-52750 (high severity) is a command injection vulnerability in URL annotation handling on Windows, where unescaped metacharacters allow arbitrary command execution when users click malicious URLs embedded in program comments. CVE-2026-52750 affects Ghidra versions before 12.1. CVE-2026-52753 affects Ghidra before 12.0.3. CVE-2026-52755 affects Ghidra before 12.0.4. CVE-2026-52759 affects Ghidra before 12.1.1. CVE-2026-52758 affects Ghidra before 12.1. CVE-2026-52757 affects Ghidra before 12.1. CVE-2026-52756 affects Ghidra before 12.2. CVE-2026-52752 affects Ghidra before 12.0.2. CVE-2026-52751 affects Ghidra before 12.1. CVE-2026-49498 affects Ghidra 11.0 before 12.1. CVE-2026-49497 affects Ghidra before 12.1. CVE-2026-49496 affects Ghidra before 12.1. CVE-2026-49495 affects Ghidra 10.2 before 12.1. CVE-2024-58350 affects Ghidra before 11.2. The majority of these vulnerabilities are addressed in Ghidra versions 12.1 and later, with specific patches available for earlier versions as noted in the individual CVE descriptions.
Users of Ghidra are strongly advised to update to the latest patched versions to mitigate these risks. The breadth of these vulnerabilities, affecting parsing, file handling, authentication, and code execution vectors, underscores the importance of maintaining up-to-date security configurations and applying patches promptly. The disclosure of these issues together highlights a critical period for Ghidra users to review their security posture and ensure the integrity of their reverse engineering workflows.