CVE-2026-52759

An attacker can craft a Mach-O binary with an arbitrarily large value in the ncmds field of its header. This crafted binary can then be supplied to Ghidra, either through its GUI or headless analyzer. The parser will attempt to allocate memory for a list of load commands based on this inflated value, regardless of the actual file size. This leads to an OutOfMemoryError, crashing the Ghidra JVM. [ref_id=1]

The vulnerability resides in the Mach-O binary parsing logic within Ghidra's MachHeader.java file, specifically in the parse() method. The parser iterates over load commands based on the ncmds field from the Mach-O header without validating against the file's actual size. [ref_id=1]

The advisory states that the vulnerability is present in all known Ghidra releases and has not been patched. Therefore, no fix explanation can be provided. Users are advised to avoid importing untrusted Mach-O binaries. [ref_id=1]

Run Ghidra's headless analyzer to import one of the PoC files: ghidra/analyzeHeadless /tmp/ TestProject -import 03f9d9d6.bin -overwrite Resulting Stack Trace: ERROR Abort due to Headless analyzer error: Java heap space (HeadlessAnalyzer) java.lang.OutOfMemoryError: Java heap space at java.base/java.util.Arrays.copyOf(Arrays.java:3482) at java.base/java.util.ArrayList.grow(ArrayList.java:237) at java.base/java.util.ArrayList.grow(ArrayList.java:244) at java.base/java.util.ArrayList.add(ArrayList.java:483) at java.base/java.util.ArrayList.add(ArrayList.java:496) at ghidra.app.util.bin.format.macho.MachHeader.parse(MachHeader.java:189) at ghidra.app.util.bin.format.macho.MachHeader.parse(MachHeader.java:150) [ref_id=1]