CVE Catalog

CVE-2026-49495

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile — higher than 2% of all known CVEs

Summary

Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie(). The lack of cycle detection when processing Mach-O binary files leads to unbounded queue growth and exponential string concatenation.

Risk Assessment

This vulnerability can result in an OutOfMemoryError, crashing the entire JVM and losing unsaved user work. Organizations may lose valuable data and time if this error occurs.

Recommendation

It is recommended to update Ghidra to version 12.1 or later to mitigate this vulnerability. Additionally, monitoring and limiting the processing of potentially malicious Mach-O files is advisable.

Original NVD description (English source)

Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS