Ghidra 10.2 < 12.1 - Denial of Service via Circular...

6.7 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.

Basic Information

ID CVE-2026-49495

Source VulnCheck

Published Jun 10, 2026 at 12:36

Affected Product

Vendor nationalsecurityagency

Product ghidra

Version 10.2

Affected Versions nationalsecurityagency ghidra 10.2

CWE Classification

CWE-835

References

{
    "lastseen": "",
    "description": "Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.",
    "published": "2026-06-10T12:36:43.369Z",
    "modified": "2026-06-10T12:36:43.369Z",
    "type": "cve",
    "title": "Ghidra 10.2 < 12.1 - Denial of Service via Circular Reference in Mach-O Export Trie Parser",
    "source": "VulnCheck",
    "references": "https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-wm33-9f68-3vjg\nhttps://www.vulncheck.com/advisories/ghidra-denial-of-service-via-circular-reference-in-mach-o-export-trie-parser",
    "id": "CVE-2026-49495",
    "bulletinFamily": "",
    "cwe": [
        "CWE-835"
    ],
    "cvelist": null,
    "sourceData": "nationalsecurityagency ghidra 10.2",
    "sourceHref": "",
    "cvss": {
        "score": 6.7,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ghidra",
    "version": "10.2",
    "vendor": "nationalsecurityagency",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Ghidra 10.2 < 12.1 - Denial of Service via Circular Reference in Mach-O Export Trie Parser_CVE-2026-49495