CVE-2026-49495
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie(). The lack of cycle detection when processing Mach-O binary files leads to unbounded queue growth and exponential string concatenation.
Risk Assessment
This vulnerability can result in an OutOfMemoryError, crashing the entire JVM and losing unsaved user work. Organizations may lose valuable data and time if this error occurs.
Recommendation
It is recommended to update Ghidra to version 12.1 or later to mitigate this vulnerability. Additionally, monitoring and limiting the processing of potentially malicious Mach-O files is advisable.
Original NVD description (English source)
Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.

