CVE-2019-16941

CRITICAL

NSA Ghidra <= 9.0.4 - Remote Code Execution via Bit Patterns Explorer XML File Processing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-16941. PoCs published by purpleracc00n.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2019-16941, a deserialization vulnerability in Ghidra's experimental plugin 'FunctionBitPatternsExplorer'. It explains the payload creation process using Ghidra's script manager and the execution steps required to achieve arbitrary code execution via a reverse shell.

Description

NSA Ghidra through 9.0.4, when experimental mode is enabled, allows arbitrary code execution if the Read XML Files feature of Bit Patterns Explorer is used with a modified XML document. This occurs in Features/BytePatterns/src/main/java/ghidra/bitpatterns/info/FileBitPatternInfoReader.java. An attack could start with an XML document that was originally created by DumpFunctionPatternInfoScript but then directly modified by an attacker (for example, to make a java.lang.Runtime.exec call).

Exploits (1)

nomisec WRITEUP 4 stars

by purpleracc00n · poc

https://github.com/purpleracc00n/CVE-2019-16941

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2019-16941, a deserialization vulnerability in Ghidra's experimental plugin 'FunctionBitPatternsExplorer'. It explains the payload creation process using Ghidra's script manager and the execution steps required to achieve arbitrary code execution via a reverse shell.

Classification

Writeup 90%

Attack Type

Deserialization

Complexity

Moderate

Reliability

Theoretical

Target: Ghidra (with Experimental plugin 'FunctionBitPatternsExplorer' enabled)

No auth needed

Prerequisites: Ghidra installed with the experimental plugin enabled · Victim interaction to load the malicious XML file

devstral-2 · analyzed Feb 18, 2026 Full analysis →