Cyber Resilience

CVE-2016-20049

CriticalPublic PoC

Published: 28 March 2026

Published
28 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0067 47.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2016-20049 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Varaneckas Jad Java Decompiler. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2016-20049 is a stack-based buffer overflow vulnerability (CWE-787) affecting JAD versions 1.5.8e-1kali1 and prior. The issue arises when the application processes oversized input strings exceeding 8150 bytes, leading to a stack overflow that overwrites return addresses and enables execution of arbitrary shellcode in the application context. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for complete compromise.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low attack complexity. By crafting and supplying malicious input that exceeds buffer boundaries, attackers can achieve arbitrary code execution within the JAD process, potentially leading to full control over the affected system depending on the application's execution context and privileges.

Advisories and related resources do not specify patches or detailed mitigations in the provided CVE details. Key references include the JAD project page at http://www.varaneckas.com/jad/, a public exploit at https://www.exploit-db.com/exploits/42076, and a VulnCheck advisory at https://www.vulncheck.com/advisories/jad-8e-1kali1-stack-based-buffer-overflow-remote-code-execution.

A proof-of-concept exploit is available on Exploit-DB, suggesting feasibility for real-world attacks against unpatched JAD installations. The CVE was published on 2026-03-28T12:16:01.407.

EU & UK References

Vulnerability details

JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying oversized input that exceeds buffer boundaries. Attackers can craft malicious input strings exceeding 8150 bytes to overflow the stack, overwrite return…

more

addresses, and execute shellcode in the application context.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Stack-based buffer overflow enables unauthenticated remote code execution over the network in a public-facing application context.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2017-20227Same product: Varaneckas Jad Java Decompiler
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787
CVE-2025-30276Shared CWE-787

Affected Assets

varaneckas
jad java decompiler
1.5.8e-1kali1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents the stack-based buffer overflow by validating and rejecting oversized input strings exceeding 8150 bytes at application input points.

prevent

Provides memory protections such as ASLR and non-executable stack to block exploitation of the buffer overflow for arbitrary code execution.

prevent

Mandates identification, reporting, and correction of the specific buffer overflow flaw in JAD versions 1.5.8e-1kali1 and prior through patching or removal.

References