Cyber Resilience

CVE-2016-20046

HighPublic PoC

Published: 28 March 2026

Published
28 March 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20046 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Cern (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2016-20046 is a buffer overflow vulnerability (CWE-787) in zFTP Client version 20061220+dfsg3-4.1, affecting the handling of the NAME parameter in FTP connections. The flaw occurs when an oversized NAME value exceeds the 80-byte buffer allocated in strcpy_chk, enabling attackers to overwrite the instruction pointer and execute arbitrary code or crash the application.

Local attackers can exploit this vulnerability with low complexity, requiring no privileges or user interaction, as reflected in its CVSS 3.1 score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying a maliciously crafted oversized NAME value during an FTP connection, they can achieve application denial of service or remote code execution with the privileges of the user running zFTP Client, compromising confidentiality, integrity, and availability.

Advisories detail the issue at https://www.vulncheck.com/advisories/zftp-client-20061220-dfsg3-local-buffer-overflow, with a proof-of-concept exploit available at https://www.exploit-db.com/exploits/40203. Additional context on the software appears at http://cernlib.web.cern.ch/cernlib/. No patches or specific mitigations are mentioned in the available information.

EU & UK References

Vulnerability details

zFTP Client 20061220+dfsg3-4.1 contains a buffer overflow vulnerability in the NAME parameter handling of FTP connections that allows local attackers to crash the application or execute arbitrary code. Attackers can supply an oversized NAME value exceeding the 80-byte buffer allocated…

more

in strcpy_chk to overwrite the instruction pointer and execute shellcode with user privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local buffer overflow in FTP client enables arbitrary code execution via oversized NAME parameter (CWE-787), directly mapping to client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25705Shared CWE-787
CVE-2019-25633Shared CWE-787
CVE-2026-0538Shared CWE-787
CVE-2019-25628Shared CWE-787
CVE-2019-25695Shared CWE-787
CVE-2018-25218Shared CWE-787
CVE-2026-42484Shared CWE-787
CVE-2019-25612Shared CWE-787
CVE-2025-43300Shared CWE-787
CVE-2016-20043Shared CWE-787

Affected Assets

Cern
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents the buffer overflow by requiring validation of oversized NAME parameter inputs exceeding the 80-byte buffer before processing with strcpy_chk.

prevent

Implements memory protections like ASLR and non-executable memory to block arbitrary code execution even if the buffer overflow occurs.

prevent

Requires timely identification, reporting, and remediation of flaws like this buffer overflow vulnerability through patching or software replacement.

References