CVE-2026-52759
MEDIUMGhidra < 12.1.1 - Denial of Service via Uncontrolled Memory Allocation in Mach-O Parser
Title source: cnaDescription
Ghidra before 12.1.1 contains an uncontrolled memory allocation vulnerability in the Mach-O binary parser that allows attackers to cause denial of service. An attacker can supply a crafted Mach-O binary with an arbitrarily large ncmds load command count value, forcing the parser to allocate excessive heap memory without validating file size, crashing the Ghidra JVM.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-v6c3-h9cp-3whf)
https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-v6c3-h9cp-3whf
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/ghidra-denial-of-service-via-uncontrolled-memory-allocation-in-mach-o-parser
Scores
CVSS v3
5.5
EPSS
0.0011
EPSS Percentile
1.6%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-789
Status
published
Products (3)
Ghidra/Ghidra
< 12.1.1
Ghidra/Ghidra
12.1.1
nsa/ghidra
< 12.1.1
Published
Jun 10, 2026
Tracked Since
Jun 10, 2026