Platform
java
Component
ghidra
Fixed in
12.0.3
CVE-2026-4946 describes a remote code execution (RCE) vulnerability in Ghidra versions prior to 12.0.3. This vulnerability arises from how Ghidra handles annotation directives embedded within automatically extracted binary data. An attacker can craft a malicious binary that, when analyzed, presents clickable text that executes arbitrary commands on the analyst's machine, potentially leading to complete system compromise. Affected versions include all releases from 0.0 through 12.0.3; upgrading to version 12.0.3 resolves the issue.
The impact of CVE-2026-4946 is significant. A successful exploit allows an attacker to execute arbitrary code within the context of the Ghidra process, effectively gaining control over the analyst's machine. This could involve installing malware, stealing sensitive data, or pivoting to other systems on the network. The vulnerability is particularly concerning because it targets reverse engineers and security analysts, who often work with potentially malicious code. The attack vector involves crafting a binary containing malicious annotation directives, which are then processed by Ghidra during auto-analysis. The resulting clickable text appears benign, tricking the analyst into executing the attacker's commands. This resembles social engineering tactics combined with technical exploitation, making detection challenging.
CVE-2026-4946 was publicly disclosed on 2026-03-29. There is currently no indication of active exploitation in the wild, but the vulnerability's ease of exploitation and the high-value target (security analysts) make it a potential concern. The vulnerability has been added to the CISA KEV catalog, indicating a heightened level of risk. No public proof-of-concept (PoC) code has been released as of the time of this writing, but the vulnerability's nature suggests that a PoC is likely to emerge.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4946 is to upgrade Ghidra to version 12.0.3 or later. This version includes a fix that properly handles annotation directives, preventing the arbitrary command execution. If upgrading is not immediately feasible, consider isolating Ghidra instances used for analyzing potentially malicious binaries. Restrict network access for these instances to minimize the potential for lateral movement. Carefully review any automatically generated comments or annotations within Ghidra, especially those originating from external binaries. While a WAF or proxy cannot directly mitigate this vulnerability, implementing strict input validation and sanitization on any data processed by Ghidra could provide a secondary layer of defense. After upgrading, confirm the fix by analyzing a known malicious binary that previously triggered the vulnerability and verifying that no commands are executed.
Update Ghidra to version 12.0.3 or later. This version corrects the vulnerability that allows arbitrary command execution through malicious annotation directives in automatically extracted binary data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4946 is a remote code execution vulnerability in Ghidra versions prior to 12.0.3. Crafted binaries can trigger arbitrary command execution when an analyst interacts with the UI.
If you are using Ghidra versions 0.0 through 12.0.3, you are potentially affected by this vulnerability. Upgrade to 12.0.3 to mitigate the risk.
Upgrade Ghidra to version 12.0.3 or later. This version includes a fix that prevents the arbitrary command execution.
There is currently no indication of active exploitation in the wild, but the vulnerability's nature makes it a potential concern.
Refer to the official Ghidra security advisory for detailed information and updates: [https://ghidra-sre.org/security/](https://ghidra-sre.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.