CVE-2016-20049
Published: 28 March 2026
Summary
CVE-2016-20049 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Varaneckas Jad Java Decompiler. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2016-20049 is a stack-based buffer overflow vulnerability (CWE-787) affecting JAD versions 1.5.8e-1kali1 and prior. The issue arises when the application processes oversized input strings exceeding 8150 bytes, leading to a stack overflow that overwrites return addresses and enables execution of arbitrary shellcode in the application context. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete compromise.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. By crafting and supplying malicious input that exceeds buffer boundaries, attackers can achieve arbitrary code execution within the JAD process, potentially leading to full control over the affected system depending on the application's execution context and privileges.
Advisories and related resources do not specify patches or detailed mitigations in the provided CVE details. Key references include the JAD project page at http://www.varaneckas.com/jad/, a public exploit at https://www.exploit-db.com/exploits/42076, and a VulnCheck advisory at https://www.vulncheck.com/advisories/jad-8e-1kali1-stack-based-buffer-overflow-remote-code-execution.
A proof-of-concept exploit is available on Exploit-DB, suggesting feasibility for real-world attacks against unpatched JAD installations. The CVE was published on 2026-03-28T12:16:01.407.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-10852
Vulnerability details
JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying oversized input that exceeds buffer boundaries. Attackers can craft malicious input strings exceeding 8150 bytes to overflow the stack, overwrite return…
more
addresses, and execute shellcode in the application context.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow enables unauthenticated remote code execution over the network in a public-facing application context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents the stack-based buffer overflow by validating and rejecting oversized input strings exceeding 8150 bytes at application input points.
Provides memory protections such as ASLR and non-executable stack to block exploitation of the buffer overflow for arbitrary code execution.
Mandates identification, reporting, and correction of the specific buffer overflow flaw in JAD versions 1.5.8e-1kali1 and prior through patching or removal.