CVE-2026-49495
Description
Ghidra 10.2 to 12.1 is vulnerable to OutOfMemoryError via crafted Mach-O files, crashing the JVM and losing unsaved work.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ghidra 10.2 to 12.1 is vulnerable to OutOfMemoryError via crafted Mach-O files, crashing the JVM and losing unsaved work.
Vulnerability
Ghidra versions 10.2 before 12.1 contain an uncontrolled resource consumption vulnerability in the ExportTrie.parseTrie() method. This method lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in its export trie can cause unbounded queue growth and exponential string concatenation, leading to an OutOfMemoryError that crashes the entire Java Virtual Machine (JVM) [1, 2].
Exploitation
An attacker can craft a minimal Mach-O binary (approximately 157 bytes) with a specific export trie structure that contains a circular reference. When an analyst opens this malicious binary in Ghidra, the parseTrie() method is invoked during the Mach-O import process. The lack of cycle detection causes the BFS queue to grow without bound, consuming excessive memory and triggering the OutOfMemoryError [1]. User interaction is required as the analyst must open the crafted file [2].
Impact
Successful exploitation of this vulnerability results in a denial-of-service condition. The OutOfMemoryError is uncaught and propagates, causing the entire Ghidra JVM process to crash. This leads to the loss of all unsaved work and open projects for the analyst [1, 2].
Mitigation
Ghidra versions 12.1 and later have addressed this vulnerability. Users are advised to update to Ghidra 12.1 or a newer version. No workarounds are specified in the available references, and the vulnerability is not listed as being part of the CISA KEV catalog [1, 2].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=10.2,<12.1+ 1 more
- (no CPE)range: >=10.2,<12.1
- (no CPE)range: <12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Mach-O binary export trie parser lacks cycle detection, leading to unbounded resource consumption."
Attack vector
An attacker crafts a minimal Mach-O binary with circular references in its export trie. When an analyst opens this malicious binary in Ghidra, the `ExportTrie.parseTrie()` method is invoked during the Mach-O import process. This method uses a Breadth-First Search (BFS) traversal without any cycle detection mechanisms. The crafted circular reference causes the BFS queue to grow without bound, leading to an exponential increase in string concatenation and ultimately an `OutOfMemoryError` that crashes the entire Java Virtual Machine (JVM) [ref_id=1].
Affected code
The vulnerability resides in the `ExportTrie.parseTrie()` method within the `ExportTrie.java` file. Specifically, the BFS traversal logic starting from line 91 lacks mechanisms such as visited-offset tracking, depth limits, or maximum queue size checks, which allows for unbounded queue growth and exponential string concatenation when encountering circular references [ref_id=1].
What the fix does
The suggested fix introduces a `Set<Integer>` named `visited` to track offsets that have already been processed. Before processing a node, its offset is checked against the `visited` set. If the offset has already been visited, the node is skipped, effectively breaking the cycle. This prevents unbounded queue growth and exponential memory consumption, thereby mitigating the `OutOfMemoryError` [ref_id=1].
Preconditions
- inputThe attacker must craft a Mach-O binary with a circular reference in its export trie, specifically where a child node's offset points back to the trie root (offset 0) [ref_id=1].
- inputThe target user must open the crafted Mach-O binary in Ghidra [ref_id=1].
Reproduction
python3 poc_macho_001_export_trie.py # Generates malicious_macho_export_trie.macho (157 bytes) timeout 30 analyzeHeadless /tmp/test Test -import malicious_macho_export_trie.macho -deleteProject -noanalysis # Process hangs/OOMs until killed (exit code 124) [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
1- National Security Agency's Ghidra: 15 Vulnerabilities Disclosed on June 10, 2026Vypr Intelligence · Jun 10, 2026