SB20260515104 - Multiple vulnerabilities in Ghidra

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260515104

SB20260515104 - Multiple vulnerabilities in Ghidra

Published: May 15, 2026

Security Bulletin ID SB20260515104
CSH Severity
High
Patch available
YES
Number of vulnerabilities 9
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 11% Medium 78% Low 11%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 9 vulnerabilities.


1) Command injection (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to command injection in the browser-launch configuration and URL annotation click handling on Windows when processing a clicked {@url ...} annotation embedded in program comments. A remote attacker can craft a malicious project, program, or script containing a URL annotation with cmd metacharacters to execute arbitrary code.

User interaction is required, and the issue affects Windows systems using the default browser-launch configuration.


2) Improper Verification of Cryptographic Signature (CVE-ID: N/A)

The vulnerability allows a remote user to impersonate another user and escalate privileges.

The vulnerability exists due to improper verification of cryptographic signature in PKIAuthenticationModule.authenticate() when processing PKI authentication requests. A remote user can present a target user's public certificate with a null signature to impersonate another user and escalate privileges.

Exploitation requires PKI authentication mode to be enabled, and the attacker must possess a valid CA-signed certificate while obtaining the target's public certificate.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in ExportTrie.parseTrie() when parsing a crafted Mach-O export trie. A remote attacker can trick the victim into opening a crafted Mach-O binary to cause a denial of service.

User interaction is required to open the crafted file, and the issue affects both GUI and headless mode.


4) Path traversal (CVE-ID: N/A)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in SameDirDebugInfoProvider when processing a crafted ELF binary with a .gnu_debuglink filename during automatic DWARF analysis. A remote attacker can supply a specially crafted ELF binary to disclose sensitive information.

User interaction is required to open the crafted ELF binary, and in headless analysis environments the resulting log output may be captured and returned to the submitter.


5) Deserialization of Untrusted Data (CVE-ID: N/A)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in Ghidra client-side Shared-Project connection code when opening a crafted project file that triggers a ghidra:// connection and deserializing RMI responses. A remote attacker can provide a specially crafted Ghidra project file to execute arbitrary code.

User interaction is required to open the project file.


6) SQL injection (CVE-ID: N/A)

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to SQL injection in changePassword() in PostgresFunctionDatabase when processing a PasswordChange network protocol message. A remote user can send a specially crafted username value to escalate privileges.

The issue arises because double quote characters in the username are not escaped before the value is interpolated into an ALTER ROLE SQL statement.


7) SQL injection (CVE-ID: N/A)

The vulnerability allows a remote user to inject arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in BSim search filter types when processing XML protocol messages received over the BSim network query protocol. A remote user can send specially crafted filter values to inject arbitrary SQL commands.

Multiple filter types concatenate user-supplied values directly into SQL queries without escaping or parameterization, while the affected values originate from network XML messages.


8) Use-after-free (CVE-ID: N/A)

The vulnerability allows a remote attacker to cause memory corruption.

The vulnerability exists due to use-after-free in SleighBuilder::generatePointerAdd when decompiling a malicious binary via the public C++ API. A remote attacker can trick the victim into decompiling a crafted binary to cause memory corruption.

The issue affects downstream users of the Sleigh C++ backend and does not impact the Ghidra Java interface. User interaction is required to decompile the crafted binary.


9) Use-after-free (CVE-ID: N/A)

The vulnerability allows a remote attacker to corrupt memory or cause a denial of service.

The vulnerability exists due to use-after-free in HighVariable::merge() and HighIntersectTest::highedgemap cache handling when decompiling a crafted binary. A remote attacker can trick the victim into opening a crafted binary to corrupt memory or cause a denial of service.

User interaction is required to open the decompiler view or otherwise trigger decompilation, including through analyzeHeadless.


Remediation

Install update from vendor's website.

References