Cyber Resilience

CVE-2016-20040

HighPublic PoC

Published: 28 March 2026

Published
28 March 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 5.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20040 is a high-severity Path Traversal (CWE-22) vulnerability in Ticalc (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2016-20040 is a buffer overflow vulnerability in TiEmu version 3.03-nogdb+dfsg-3, affecting the ROM parameter handling in the tiemu command-line interface. The flaw occurs when an oversized ROM parameter is supplied, leading to a stack buffer overflow that overwrites the instruction pointer with attacker-controlled addresses. This issue is classified under CWE-22 and carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Local attackers can exploit this vulnerability by providing a maliciously crafted oversized ROM parameter to the tiemu command-line interface. No user privileges or interaction are required, enabling low-complexity attacks that result in application crashes or arbitrary code execution on the affected system, with high impacts to confidentiality, integrity, and availability.

Advisories and references, including those from VulnCheck at https://www.vulncheck.com/advisories/tiemu-nogdb-dfsg-3-buffer-overflow-via-rom-parameter and an Exploit-DB entry at https://www.exploit-db.com/exploits/39692, detail the vulnerability and proof-of-concept exploit. The TiEmu project page at http://lpg.ticalc.org/prj_tiemu/ provides additional context on the software. No specific patches or mitigations are described in the CVE details.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

TiEmu 3.03-nogdb+dfsg-3 contains a buffer overflow vulnerability in the ROM parameter handling that allows local attackers to crash the application or execute arbitrary code. Attackers can supply an oversized ROM parameter to the tiemu command-line interface to overflow the stack…

more

buffer and overwrite the instruction pointer with malicious addresses.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local buffer overflow in CLI tool enables arbitrary code execution via crafted input, directly mapping to exploitation for privilege escalation and client execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30279Shared CWE-22
CVE-2026-30277Shared CWE-22
CVE-2026-3179Shared CWE-22
CVE-2016-20048Shared CWE-22
CVE-2016-20041Shared CWE-22
CVE-2025-66429Shared CWE-22
CVE-2026-22871Shared CWE-22
CVE-2025-67030Shared CWE-22
CVE-2026-4092Shared CWE-22
CVE-2025-54307Shared CWE-22

Affected Assets

Ticalc
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes oversized ROM parameters to prevent stack buffer overflows in the tiemu command-line interface.

prevent

Implements memory protections like stack canaries, ASLR, and DEP to block exploitation of stack buffer overflows that overwrite the instruction pointer.

prevent

Ensures timely remediation of the buffer overflow flaw in TiEmu through vulnerability monitoring, scanning, and patching.

References