Unrated severityNVD Advisory· Published Mar 29, 2026· Updated Mar 30, 2026

NSA Ghidra Auto-Analysis Annotation Command Execution

CVE-2026-4946

Description

Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine.

Affected products

Ghidra/Ghidrallm-create
Range: <12.0.3
NSA/Ghidrav5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-mc3p-mq2p-xw6vmitrevendor-advisory
takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001011111111111000111111110000000000000000000000000000000000000000000000000000000110mitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000