Cyber Resilience

CVE-2017-20229

CriticalPublic PoC

Published: 28 March 2026

Published
28 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 44.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2017-20229 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Invisible-Island Mawk. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2017-20229 is a stack-based buffer overflow vulnerability (CWE-787) affecting MAWK versions 1.3.3-17 and prior. The issue stems from inadequate boundary checks on user-supplied input, which allows the stack buffer to be overflowed when processing malicious data.

Remote attackers can exploit this vulnerability with low complexity and no privileges or user interaction required, as reflected in its CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By crafting specially designed input, attackers can trigger the overflow and leverage a return-oriented programming (ROP) chain to execute arbitrary code, including spawning a shell with the application's privileges.

Resources for further details include a public exploit on Exploit-DB at https://www.exploit-db.com/exploits/42357 and a vulnerability advisory from VulnCheck at https://www.vulncheck.com/advisories/mawk-17-stack-based-buffer-overflow. No specific patch or mitigation guidance is detailed in the available information.

EU & UK References

Vulnerability details

MAWK 1.3.3-17 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting inadequate boundary checks on user-supplied input. Attackers can craft malicious input that overflows the stack buffer and execute a return-oriented programming…

more

chain to spawn a shell with application privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Remote unauthenticated stack buffer overflow enabling arbitrary code execution and Unix shell access via ROP in a publicly exposed AWK interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2017-20227Shared CWE-787
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787
CVE-2025-30276Shared CWE-787

Affected Assets

invisible-island
mawk
≤ 1.3.3-17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of the stack-based buffer overflow flaw in MAWK, eliminating the vulnerability through patching.

prevent

Enforces validation of user-supplied inputs with boundary checks, preventing the buffer overflow exploitation in MAWK.

prevent

Implements memory safeguards like stack canaries and non-executable memory to block arbitrary code execution from the MAWK buffer overflow.

References