Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation (which is intended for trusted, user-authored comments) is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4946.json",
"cwe_ids": [
"CWE-78"
],
"cna_assigner": "AHA"
}[
{
"source": "https://github.com/nationalsecurityagency/ghidra/commit/09f14c92d3da6e5d5f6b7dea115409719db3cce1",
"deprecated": false,
"signature_version": "v1",
"digest": {
"threshold": 0.9,
"line_hashes": [
"14452560219353461874682079616675760102",
"241878227154669002884272489390380470983",
"218711909065982768287021434254879024722",
"38661557862576582862024771976370105508",
"210494956023312644073447038487532306819",
"26950389001681389779894752331159027220",
"44134878735772219776368491806952433447",
"16796979239897166686115193572286690222"
]
},
"id": "CVE-2026-4946-18a71f2c",
"signature_type": "Line",
"target": {
"file": "Ghidra/Test/IntegrationTest/src/test.slow/java/ghidra/server/remote/ServerTestUtil.java"
}
},
{
"source": "https://github.com/nationalsecurityagency/ghidra/commit/09f14c92d3da6e5d5f6b7dea115409719db3cce1",
"deprecated": false,
"signature_version": "v1",
"digest": {
"function_hash": "155739949213535221348782618684453007072",
"length": 1444.0
},
"id": "CVE-2026-4946-7e1d5bb7",
"signature_type": "Function",
"target": {
"function": "generatePkiCerts",
"file": "Ghidra/Test/IntegrationTest/src/test.slow/java/ghidra/server/remote/ServerTestUtil.java"
}
}
]
"2026-07-15T15:56:22Z"
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4946.json"