Cyber Resilience

CVE-2016-20037

HighPublic PoC

Published: 28 March 2026

Published
28 March 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20037 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Identicalsoftware (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2016-20037 is a stack-based buffer overflow vulnerability (CWE-787) affecting xwpe versions 1.5.30a-2.1 and prior. The flaw occurs when the software processes overly long input strings that exceed buffer boundaries, enabling local attackers to execute arbitrary code. Attackers can exploit this by crafting malicious command-line arguments consisting of 262 bytes of junk data followed by shellcode to overwrite the instruction pointer.

Local attackers with access to the system can exploit this vulnerability due to its low attack complexity (AC:L), no required privileges (PR:N), and no user interaction needed (UI:N), as indicated by the CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows arbitrary code execution or denial of service by gaining high confidentiality, integrity, and availability impacts.

Advisories from Vulncheck detail the stack-based buffer overflow in xwpe 1.5.30a, while an exploit is publicly available on Exploit-DB (exploit 39285). The official xwpe site at identicalsoftware.com provides additional context on the software.

An exploit has been published on Exploit-DB, indicating real-world exploitation potential for this legacy X Window programming environment.

EU & UK References

Vulnerability details

xwpe 1.5.30a-2.1 and prior contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying overly long input strings that exceed buffer boundaries. Attackers can craft malicious command-line arguments with 262 bytes of junk data…

more

followed by shellcode to overwrite the instruction pointer and achieve code execution or denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local stack-based buffer overflow via crafted command-line arguments directly enables arbitrary code execution on a client application (T1203) and/or privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25650Shared CWE-787
CVE-2018-25212Shared CWE-787
CVE-2026-8569Shared CWE-787
CVE-2026-31607Shared CWE-787
CVE-2025-20881Shared CWE-787
CVE-2026-8915Shared CWE-787
CVE-2026-47314Shared CWE-787
CVE-2026-6314Shared CWE-787
CVE-2024-54523Shared CWE-787
CVE-2026-9967Shared CWE-787

Affected Assets

Identicalsoftware
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents stack-based buffer overflows by requiring validation of command-line input strings to enforce boundaries and reject overly long arguments.

prevent

Mitigates arbitrary code execution from stack overflows using memory safeguards like non-executable stacks, address space randomization, and stack canaries.

prevent

Requires identification, reporting, and correction of specific flaws like CVE-2016-20037 through patching, updating, or removal of vulnerable xwpe software.

References