CVE-2026-52757
Description
Ghidra 12.0.4 and earlier have a heap-use-after-free in the decompiler's variable merging pass, exploitable by opening a crafted binary.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ghidra 12.0.4 and earlier have a heap-use-after-free in the decompiler's variable merging pass, exploitable by opening a crafted binary.
Vulnerability
Ghidra versions before 12.1 contain a heap-use-after-free vulnerability within the decompiler's HighVariable::merge() function during the variable merging pass [1, 2]. This vulnerability occurs when stale pointers to freed heap memory remain in the HighIntersectTest::highedgemap cache after a HighVariable is deleted by mergeInternal(). Subsequent calls to moveIntersectTests() can dereference these stale pointers, leading to reads and writes of freed memory flags [1]. This bug is triggered during the native decompile process when a user opens a binary in Ghidra's decompiler view, specifically during the merge pass which is reachable through Ghidra's GUI and analyzeHeadless [1]. Ghidra 12.0.4 PUBLIC and Ghidra master at commit 6b5ea0e0e3 are confirmed affected, and likely all recent versions [1].
Exploitation
An attacker can trigger this vulnerability by crafting a malicious binary [2]. When a user opens this crafted binary in Ghidra's decompiler view, the decompiler's variable merging pass will execute [1]. This process involves deleting HighVariable objects and subsequently attempting to use pointers that have already been freed, leading to the dereferencing of stale pointers within the HighIntersectTest::highedgemap cache [1, 2]. Network position, authentication, or write access are not required; user interaction by opening the crafted binary is sufficient [1, 2].
Impact
Successful exploitation of this heap-use-after-free vulnerability allows an attacker to read and write to freed heap memory flags [1, 2]. This can lead to arbitrary code execution or other memory corruption issues within the Ghidra decompiler process, potentially compromising the integrity of the analysis or the system running Ghidra, depending on the privilege level of the Ghidra process [1, 2].
Mitigation
Ghidra version 12.1 and later contain fixes for this vulnerability [2]. Users are advised to upgrade to Ghidra 12.1 or a later version. No workarounds are disclosed in the available references, and the End-of-Life (EOL) status or Known Exploited Vulnerabilities (KEV) listing for affected versions are not yet disclosed [1, 2].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <12.1
Patches
101b989a8df3efix spelling of commercial (#14)
1 file changed · +1 −1
DISCLAIMER.md+1 −1 modified@@ -10,4 +10,4 @@ The User of this Work agrees to hold harmless and indemnify the United States Go Nothing in this Work is intended to constitute an endorsement, explicit or implied, by the United States Government of any particular manufacturer's product or service. -Reference herein to any specific commerical product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes. +Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, in this Work does not constitute an endorsement, recommendation, or favoring by the United States Government and shall not be used for advertising or product endorsement purposes.
Vulnerability mechanics
Root cause
"Stale pointers to freed heap memory remain in the HighIntersectTest::highedgemap cache, leading to dereferencing of freed objects."
Attack vector
An attacker can trigger this vulnerability by crafting a binary that, when opened in Ghidra's decompiler view, causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced. This occurs during the variable merging pass within the decompiler's native process. The vulnerability is reachable through the production Java to native IPC path used by Ghidra's GUI and analyzeHeadless [ref_id=1].
Affected code
The vulnerability resides in the HighVariable::merge() function within Ghidra's decompiler. Specifically, the issue arises during the variable merging pass where stale pointers can persist in the HighIntersectTest::highedgemap cache after HighVariable objects are deleted by mergeInternal() [ref_id=1].
What the fix does
The patch addresses the heap-use-after-free vulnerability by ensuring that the HighIntersectTest::highedgemap cache is properly cleaned up before HighVariable objects are deleted. This prevents stale pointers from remaining in the cache, which were previously dereferenced after the memory had been freed. The fix is part of the Ghidra 12.1 release [patch_id=5478755].
Preconditions
- inputA crafted binary file.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
1- National Security Agency's Ghidra: 15 Vulnerabilities Disclosed on June 10, 2026Vypr Intelligence · Jun 10, 2026