Introduction
The NSA's Ghidra reverse engineering framework, used daily by malware analysts and security researchers across government and industry, contains an unauthenticated remote code execution vulnerability that can be triggered simply by opening a shared project file. CVE-2026-52751, carrying a CVSS score of 8.8, exploits a missing deserialization filter in Ghidra's client-side RMI connection code to execute arbitrary commands on the victim's workstation through a bundled Jython gadget chain.
Technical Information
Root Cause: Asymmetric Deserialization Filtering
The core issue is a trust boundary failure in Ghidra's Shared Project feature. When a Ghidra client connects to a Ghidra Server via RMI, it deserializes returned objects using ObjectInputStream.readObject() with no ObjectInputFilter in effect. This is notable because the Ghidra Server side does install a strict allow-list filter at startup. The client side simply never received equivalent protection. This asymmetry means that if a client can be tricked into connecting to a malicious RMI endpoint, the attacker controls what gets deserialized.
This is a textbook instance of CWE-502 (Deserialization of Untrusted Data), a vulnerability class that has been responsible for some of the most impactful Java exploits over the past decade.
Silent Connection via ghidra:// URLs in Project Files
The attack entry point is Ghidra's project file format. The DefaultProject.restore() method processes the project's projectState XML and silently opens a ghidra:// connection for every <OPEN_REPOSITORY_VIEW URL="..."/> element it encounters. There is no user confirmation dialog, no warning, and no opportunity to inspect the URL before the connection is made. The victim simply performs File, Open Project on what appears to be a normal Ghidra project, and the connection to the attacker's server happens automatically.
The Jython 2.7.4 PyMethod Gadget Chain
Ghidra bundles jython-standalone-2.7.4.jar, which provides the classes needed for the exploitation chain. The PyMethod class implements java.lang.reflect.InvocationHandler and lacks a readResolve guard, making it suitable as a deserialization gadget. The chain follows a well known pattern in the Java deserialization research community:
| Step | Action | Component |
|---|---|---|
| 1 | Attacker crafts malicious Ghidra project file | projectState XML with ghidra:// URL |
| 2 | Victim opens project via File, Open Project | DefaultProject.restore() |
| 3 | Client silently connects to attacker controlled server | RMI connection via ghidra:// URL |
| 4 | Server returns malicious serialized object | No ObjectInputFilter on client |
| 5 | ObjectInputStream.readObject() deserializes payload | Jython PyMethod gadget chain |
| 6 | PriorityQueue.readObject() triggers gadget chain | InvocationHandler proxy |
| 7 | Arbitrary command execution on victim machine | Runtime.getRuntime().exec() |
The ysoserial project has included a Jython1 gadget exploiting similar classes, and Tenable documented the PyMethod InvocationHandler technique back in 2016. The gadget chain concept here is not novel; what makes this vulnerability significant is the delivery mechanism and the target audience.
Delivery Vectors and Social Engineering Surface
The advisory specifically identifies delivery channels that are deeply embedded in the security research community's daily workflows: email attachments, Slack and Teams direct messages, AirDrop, shared cloud drives, git clone operations, and sample sharing forums. Reverse engineers and malware analysts routinely exchange project files and analysis artifacts through these channels, making social engineering attacks against this vulnerability highly plausible.
CVSS Scoring
There is a scoring discrepancy worth noting across sources:
| Source | CVSS Version | Score |
|---|---|---|
| NVD | v3.1 | 8.8 |
| GHSA Advisory | v3.1 | 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) |
| VulnCheck | v4 | 8.6 |
The GHSA advisory uses an Attack Vector of Local (AV:L), reflecting that the victim must open a local file. The NVD score of 8.8 likely uses a Network attack vector. Regardless of the specific scoring, all assessments classify this as High severity with full impact on confidentiality, integrity, and availability.
Affected Systems and Versions
All Ghidra versions containing the Shared Project feature are vulnerable. This includes every release from version 9.1 onward through versions prior to 12.1. The advisory states that the code paths involved are unchanged in every release since the feature's introduction.
The only fixed version is Ghidra 12.1, released on May 13, 2026. No configuration workaround exists to disable the vulnerable code paths in earlier versions.
Vendor Security History
Ghidra has had at least two High severity RCE vulnerabilities disclosed in 2026, both reflecting a pattern of trust boundary failures:
| Vulnerability | CVE | CVSS | CWE | Affected Versions | Patched Version |
|---|---|---|---|---|---|
| RMI Deserialization RCE | CVE-2026-52751 | 8.8 | CWE-502 | < 12.1 | 12.1 |
| Annotation Command Injection RCE | CVE-2026-4946 | 8.8 | CWE-78 | < 12.0.3 | 12.0.3 |
CVE-2026-4946 exploits annotation directives in auto-extracted binary data to achieve command injection. Both vulnerabilities share a common architectural weakness: Ghidra fails to distinguish between trusted and untrusted data at critical processing boundaries.
The Ghidra Team is not currently authorized to generate CVEs directly from security advisories. CVE-2026-52751 was assigned through VulnCheck's disclosure process. The vulnerability was reported by researcher @jro-calif, and the fix was developed collaboratively with Oceanit's Software and Cybersecurity team.
References
- NVD Entry for CVE-2026-52751
- GHSA Advisory: Ghidra RCE via Unfiltered RMI Deserialisation
- VulnCheck Advisory: Ghidra Remote Code Execution via Unfiltered RMI Deserialization
- Ghidra Commit 91a2691 (Fix)
- Ghidra Releases (including 12.1)
- Ghidra Security Overview
- NSA Ghidra Official Page
- Oceanit: Engineers Help Fix Vulnerability in NSA Cybersecurity Tool
- Tenable: Expanding on a Known Vulnerability: Attacking with Jython
- CVE-2026-4946 Detail (Related Ghidra RCE)
- GHSA Advisory for CVE-2026-4946
- SentinelOne: CVE-2026-4946
- Java Deserialization Gadget Chains (Klogix Security)
- GadgetInspector: Byte Code Analyzer for Deserialization Gadgets



