PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49495 nationalsecurityagency CVE debrief

CVE-2026-49495 is a MEDIUM severity vulnerability in Ghidra 10.2 before 12.1. The vulnerability is caused by an uncontrolled resource consumption issue in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.

Vendor
nationalsecurityagency
Product
ghidra
CVSS
MEDIUM 6.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-11
Advisory published
2026-06-10
Advisory updated
2026-06-11

Who should care

Users of Ghidra 10.2 before 12.1 should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is caused by an uncontrolled resource consumption issue in ExportTrie.parseTrie() that lacks cycle detection when traversing Mach-O binary export tries. A crafted Mach-O binary with circular references in the export trie causes unbounded queue growth and exponential string concatenation, triggering OutOfMemoryError that crashes the entire JVM and loses all unsaved work.

Defensive priority

MEDIUM

Recommended defensive actions

  • Upgrade to Ghidra 12.1 or later.
  • Avoid processing untrusted Mach-O binaries with Ghidra 10.2 before 12.1.

Evidence notes

The CVE-2026-49495 vulnerability was published on [cve-org](https://www.cve.org/CVERecord?id=CVE-2026-49495) and has a CVSS score of 6.7. The vulnerability is tracked on [nvd](https://nvd.nist.gov/vuln/detail/CVE-2026-49495).

Official resources

CVE-2026-49495 was published on 2026-06-10T14:16:34.360Z and modified on 2026-06-11T19:49:06.780Z.