CVE-2026-52757 MEDIUM

CVE-2026-52757: Ghidra < 12.1 - Heap-use-after-free in HighVariable::merge() during decompilation

Vendor Nationalsecurityagency
Product ghidra
Weakness CWE-416
Published June 10, 2026
Last update June 10, 2026

CVSS base score

4.6/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Ghidra before 12.1 contains a heap-use-after-free vulnerability in the decompiler's HighVariable::merge() function during the variable merging pass. Attackers can trigger this vulnerability by crafting a binary that causes stale pointers in the HighIntersectTest::highedgemap cache to be dereferenced, reading and writing the flags field of freed heap memory when a user opens the binary in Ghidra's decompiler view.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 10, 2026 Record updated