Cyber Resilience

CVE-2016-20047

HighPublic PoC

Published: 28 March 2026

Published
28 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0015 4.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2016-20047 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Chmurka (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2016-20047 is a local buffer overflow vulnerability (CWE-787) affecting EKG Gadu version 1.9~pre+r2855-3+b1 in its username handling component. The flaw arises in the strlcpy function when processing an oversized username string exceeding 258 bytes, enabling attackers to overwrite the instruction pointer and execute arbitrary shellcode.

Local attackers can exploit this vulnerability with low complexity and no privileges required, as indicated by its CVSS 3.1 score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying a crafted buffer via the username parameter, they can trigger the overflow to gain arbitrary code execution with the privileges of the user running the affected software.

Advisories and additional details, including a published exploit, are available from the EKG project site at http://ekg.chmurka.net/, Exploit-DB at https://www.exploit-db.com/exploits/40392, and VulnCheck at https://www.vulncheck.com/advisories/ekg-gadu-local-buffer-overflow-via-username-parameter. No specific patches or mitigations are detailed in the provided information.

EU & UK References

Vulnerability details

EKG Gadu 1.9~pre+r2855-3+b1 contains a local buffer overflow vulnerability in the username handling that allows local attackers to execute arbitrary code by supplying an oversized username string. Attackers can trigger the overflow in the strlcpy function by passing a crafted…

more

buffer exceeding 258 bytes to overwrite the instruction pointer and execute shellcode with user privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local buffer overflow enables direct arbitrary code execution via crafted input, mapping to exploitation for privilege escalation or code execution on the local system.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2016-20044Shared CWE-787
CVE-2026-23326Shared CWE-787
CVE-2024-43077Shared CWE-787
CVE-2024-53697Shared CWE-787
CVE-2025-20890Shared CWE-787
CVE-2026-23073Shared CWE-787
CVE-2025-20708Shared CWE-787
CVE-2025-1471Shared CWE-787
CVE-2024-35273Shared CWE-787
CVE-2022-49062Shared CWE-787

Affected Assets

Chmurka
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 enforces input validation at entry points to reject oversized username strings exceeding 258 bytes, directly preventing the buffer overflow trigger.

prevent

SI-16 implements memory protections like ASLR and DEP to prevent instruction pointer overwrite and shellcode execution even if buffer overflow occurs.

prevent

SI-2 requires identification, reporting, and correction of flaws like this buffer overflow vulnerability through timely patching or replacement.

References