CVE-2016-20049 | JAD 1.5.8e-1kali1 and prior contains a stack-based buffer ov… | CVSS 9.8 CRITICAL

Description

JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying oversized input that exceeds buffer boundaries. Attackers can craft malicious input strings exceeding 8150 bytes to overflow the stack, overwrite return addresses, and execute shellcode in the application context.

Metadata

CVE ID: CVE-2016-20049
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-03-28 11:42 UTC
Published: 2026-03-28 11:58 UTC
Last updated: 2026-03-30 14:53 UTC
Primary CWE: CWE-787
Out-of-bounds Write
Vendor / Product: Varaneckas / JAD Java Decompiler
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Varaneckas	JAD Java Decompiler	—	1.5.8e-1kali1

Weakness (CWE)

CWE	Source	Description
CWE-787	cna	Out-of-bounds Write

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)

ExploitDB-42076 https://www.exploit-db.com/exploits/42076
Official Product Homepage http://www.varaneckas.com/jad/
VulnCheck Advisory: JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow Remote Code Execution https://www.vulncheck.com/advisories/jad-8e-1kali1-stack-based-buffer-overflow-remote-code-execution