Cyber Resilience

CVE-2016-20038

HighPublic PoC

Published: 28 March 2026

Published
28 March 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0018 7.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20038 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Han (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2016-20038 is a stack-based buffer overflow vulnerability (CWE-787) affecting yTree version 1.94-1.1. The flaw occurs when the application processes an excessively long command-line argument, allowing attackers to overwrite the stack with shellcode and a return address, thereby enabling arbitrary code execution in the application's context. This issue was published on 2026-03-28 and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Local attackers with access to the system can exploit this vulnerability without requiring privileges (PR:N), user interaction (UI:N), or high complexity (AC:L). By crafting a malicious command-line argument, they can achieve arbitrary code execution within the yTree process, potentially leading to high impacts on confidentiality, integrity, and availability.

References include the official yTree website at http://www.han.de/~werner/ytree.html, an Exploit-DB entry (https://www.exploit-db.com/exploits/39406) providing a proof-of-concept exploit, and a VulnCheck advisory (https://www.vulncheck.com/advisories/ytree-stack-based-buffer-overflow) detailing the stack-based buffer overflow. Specific mitigation or patch details are not outlined in the provided information.

EU & UK References

Vulnerability details

yTree 1.94-1.1 contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an excessively long argument to the application. Attackers can craft a malicious command-line argument containing shellcode and a return address to overwrite…

more

the stack and execute code in the application context.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Stack-based buffer overflow in local CLI app directly enables arbitrary code execution via crafted input (classic client-side exploitation vector).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25705Shared CWE-787
CVE-2019-25633Shared CWE-787
CVE-2026-0538Shared CWE-787
CVE-2016-20046Shared CWE-787
CVE-2019-25628Shared CWE-787
CVE-2019-25695Shared CWE-787
CVE-2018-25218Shared CWE-787
CVE-2026-42484Shared CWE-787
CVE-2019-25612Shared CWE-787
CVE-2025-43300Shared CWE-787

Affected Assets

Han
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates identifying, reporting, and correcting the stack-based buffer overflow flaw in yTree to eliminate the vulnerability.

prevent

Implements memory safeguards like ASLR, stack canaries, and non-executable stacks to block arbitrary code execution from stack overflows.

prevent

Requires validating command-line arguments at entry points to reject excessively long inputs that trigger the buffer overflow.

References