CVE-2016-20037
Published: 28 March 2026
Summary
CVE-2016-20037 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Identicalsoftware (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2016-20037 is a stack-based buffer overflow vulnerability (CWE-787) affecting xwpe versions 1.5.30a-2.1 and prior. The flaw occurs when the software processes overly long input strings that exceed buffer boundaries, enabling local attackers to execute arbitrary code. Attackers can exploit this by crafting malicious command-line arguments consisting of 262 bytes of junk data followed by shellcode to overwrite the instruction pointer.
Local attackers with access to the system can exploit this vulnerability due to its low attack complexity (AC:L), no required privileges (PR:N), and no user interaction needed (UI:N), as indicated by the CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows arbitrary code execution or denial of service by gaining high confidentiality, integrity, and availability impacts.
Advisories from Vulncheck detail the stack-based buffer overflow in xwpe 1.5.30a, while an exploit is publicly available on Exploit-DB (exploit 39285). The official xwpe site at identicalsoftware.com provides additional context on the software.
An exploit has been published on Exploit-DB, indicating real-world exploitation potential for this legacy X Window programming environment.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-10829
Vulnerability details
xwpe 1.5.30a-2.1 and prior contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying overly long input strings that exceed buffer boundaries. Attackers can craft malicious command-line arguments with 262 bytes of junk data…
more
followed by shellcode to overwrite the instruction pointer and achieve code execution or denial of service.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local stack-based buffer overflow via crafted command-line arguments directly enables arbitrary code execution on a client application (T1203) and/or privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents stack-based buffer overflows by requiring validation of command-line input strings to enforce boundaries and reject overly long arguments.
Mitigates arbitrary code execution from stack overflows using memory safeguards like non-executable stacks, address space randomization, and stack canaries.
Requires identification, reporting, and correction of specific flaws like CVE-2016-20037 through patching, updating, or removal of vulnerable xwpe software.