Ghidra 10.2 < 12.1 - Denial of Service via Circular Reference in Mach-O Export Trie Parser
CVE-2026-49495

6.7MEDIUM

Key Information:

Vendor: Nationalsecurityagency
Status: Ghidra
Vendor: CVE Published:; 10 June 2026

🔔 Create Nationalsecurityagency Vulnerability Alert

What is CVE-2026-49495?

Ghidra 10.2 before 12.1 contains an uncontrolled resource consumption vulnerability in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.

Affected Version(s)

ghidra 10.2 < 12.1

ghidra 12.1

References

https://github.com/NationalSecurityAgency/ghidra/security...

vendor-advisory

https://www.vulncheck.com/advisories/ghidra-denial-of-ser...

third-party-advisory

CVSS V4

Score:

6.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
May 31, 2026

Credit

Donghwoo Cho

CVE-2026-49495 Data

JSON