Search

Find a vulnerability

Search criteria

    1 vulnerability by NSA

    GCVE-1337-2026-000000000… (CVE-2026-4946)

    Vulnerability from gna-1337 – Published: 2026-03-29 19:35 – Updated: 2026-03-29 19:35
    VLAI
    Title
    NSA Ghidra Auto-Analysis Annotation Command Execution
    Summary
    Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine.
    CWE
    • CWE-78 - Improper neutralization of special elements used in an OS command ('OS command injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    NSA Ghidra Affected: 0 , < 12.0.3 (semver)
    Create a notification for this product.
    Date Public
    2026-03-29 18:37
    Credits
    Mobasi Security Team todb of AHA!

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Ghidra",
              "vendor": "NSA",
              "versions": [
                {
                  "lessThan": "12.0.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mobasi Security Team"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "todb of AHA!"
            }
          ],
          "datePublic": "2026-03-29T18:37:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst\u2019s machine."
                }
              ],
              "value": "Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst\u2019s machine."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "other": {
                "content": {
                  "options": [
                    {
                      "Exploitation": "poc"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "total"
                    }
                  ],
                  "role": "CNA",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "CWE-78 Improper neutralization of special elements used in an OS command (\u0027OS command injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-03-29T19:35:30.692Z",
            "orgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
            "shortName": "AHA"
          },
          "references": [
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001011111111111000111111110000000000000000000000000000000000000000000000000000000110"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-mc3p-mq2p-xw6v"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "NSA Ghidra Auto-Analysis Annotation Command Execution",
          "x_generator": {
            "engine": "Vulnogram 1.0.1"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "26969f82-7e87-44d8-9cb5-f6fb926ddd43",
        "assignerShortName": "AHA",
        "cveId": "CVE-2026-4946",
        "datePublished": "2026-03-29T19:35:30.692Z",
        "dateReserved": "2026-03-27T02:17:29.992Z",
        "dateUpdated": "2026-03-29T19:35:30.692Z",
        "serial": 1,
        "state": "PUBLISHED",
        "vulnId": "GCVE-1337-2026-00000000000000000000000000000000000000000000000001011111111111000111111110000000000000000000000000000000000000000000000000000000110"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }