CVE-2024-58350: Ghidra < 11.2 - Use After Free in Sleigh Backend via Static Initialization Order
Ghidra before 11.2 contains a use after free vulnerability in the Sleigh backend caused by undefined static initialization order of the SleighArchitecture::translators and XmlArchitectureCapability singletons. Attackers can trigger an infinite loop or denial of service during shutdown by exploiting the unsafe destruction order that causes iteration over deallocated memory.
Security readout for executives and security teams
Plain-English summary
Ghidra versions before 11.2 can hang or fail during shutdown because internal Sleigh backend objects may be destroyed in an unsafe order. The known business impact is availability only: analyst tooling may be disrupted, not data theft or code execution based on the provided sources.
Executive priority
Treat this as a low-priority maintenance update unless Ghidra is heavily used in critical analysis workflows. It affects tool availability, not customer-facing services or sensitive data according to the provided evidence.
Technical view
The issue is a use-after-free caused by undefined static initialization and destruction order involving SleighArchitecture::translators and XmlArchitectureCapability singletons. Iteration over deallocated memory can trigger an infinite loop or denial of service during shutdown. CVSS 3.1 is 2.9: local, high complexity, no confidentiality or integrity impact, low availability impact.
Likely exposure
Exposure is likely limited to environments running Ghidra before 11.2, especially analyst workstations or automation systems using the Sleigh backend. The CVSS vector is local and high complexity, so this is not described as a remotely reachable service risk.
Exploitation context
The source bundle says KEV is false and provides no evidence of active exploitation. The described outcome is an infinite loop or denial of service during shutdown, not code execution. Evidence is incomplete on practical trigger conditions beyond the unsafe destruction order.
Researcher notes
CWE-758 applies because undefined behavior from static initialization order leads to unsafe singleton destruction. Focus validation on version exposure and availability symptoms. Do not assume remote exploitability, data access, or a broader product impact beyond Ghidra before 11.2.
Mitigation direction
Upgrade Ghidra installations to version 11.2 or later.
Prioritize analyst systems that process untrusted binaries or run Ghidra automation.
Check the NSA GitHub advisory for vendor-specific remediation guidance.
Document any temporary exception for systems that cannot be upgraded promptly.
Validation and detection
Inventory installed Ghidra versions across analyst workstations and automation hosts.
Confirm no production or lab system remains below Ghidra 11.2.
Review shutdown hang or crash reports for affected Ghidra systems.
Verify vulnerability tracking records cite the vendor advisory and upgrade status.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-758: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-758 · source CWE mapping
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.