CVE-2026-49495 MEDIUM

CVE-2026-49495: Ghidra 10.2 < 12.1 - Denial of Service via Circular Reference in Mach-O Export Trie Parser

Vendor Nationalsecurityagency

Product ghidra

Weakness CWE-835

Published June 10, 2026

Last update June 10, 2026

View on NVD All CVEs

CVSS base score

6.7/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.

Key dates

02Disclosure timeline

June 10, 2026 CVE published

June 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-49495

Related vulnerabilities

CVE-2026-49495: Ghidra 10.2 < 12.1 - Denial of Service via Circular Reference in Mach-O Export Trie Parser

01Description

02Disclosure timeline

03References

04Related CVE