PatchSiren cyber security CVE debrief
CVE-2026-49496 nationalsecurityagency CVE debrief
CVE-2026-49496 is a medium-severity heap-use-after-free vulnerability in Ghidra before version 12.1. The vulnerability is caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. This can be triggered by decompiling malicious binaries through the public Sleigh::oneInstruction C++ API, affecting downstream SLEIGH library consumers. The CVSS score for this vulnerability is 6.9, indicating a medium severity.
- Vendor
- nationalsecurityagency
- Product
- ghidra
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of Ghidra before version 12.1 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is located in SleighBuilder::generatePointerAdd and is caused by iterator invalidation when PcodeCacher::allocateInstruction reallocates the issued vector. This can lead to memory corruption when decompiling malicious binaries through the public Sleigh::oneInstruction C++ API.
Defensive priority
Medium
Recommended defensive actions
- Update Ghidra to version 12.1 or later.
- Avoid decompiling untrusted binaries using the public Sleigh::oneInstruction C++ API.
Evidence notes
The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information and mitigations can be found at [ref-4], [ref-5], and [ref-6].
Official resources
-
CVE-2026-49496 CVE record
CVE.org
-
CVE-2026-49496 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
CVE-2026-49496 was published on [cvePublishedAt] and modified on [cveModifiedAt].