CVE-2016-20049

CRITICAL

JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow Remote Code Execution

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20049. PoCs published by Juan Sacco.

AI-analyzed exploit summary This exploit demonstrates a stack-based buffer overflow in JAD (Java Decompiler) 1.5.8e-1kali1 by crafting a malicious input buffer with NOPs, shellcode, and a ROP call to execute arbitrary code. The exploit leverages a lack of boundary checks to trigger a denial-of-service or remote code execution.

Description

JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying oversized input that exceeds buffer boundaries. Attackers can craft malicious input strings exceeding 8150 bytes to overflow the stack, overwrite return addresses, and execute shellcode in the application context.

Exploits (1)

exploitdb WORKING POC

by Juan Sacco · pythonlocallinux

https://www.exploit-db.com/exploits/42076

View Code ZIP pw:eip

This exploit demonstrates a stack-based buffer overflow in JAD (Java Decompiler) 1.5.8e-1kali1 by crafting a malicious input buffer with NOPs, shellcode, and a ROP call to execute arbitrary code. The exploit leverages a lack of boundary checks to trigger a denial-of-service or remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: JAD (Java Decompiler) 1.5.8e-1kali1 and prior

No auth needed

Prerequisites: JAD installed on the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-42076

https://www.exploit-db.com/exploits/42076

Product product

Official Product Homepage

http://www.varaneckas.com/jad/

Third Party Advisory third-party-advisory

VulnCheck Advisory: JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow Remote Code Execution

https://www.vulncheck.com/advisories/jad-8e-1kali1-stack-based-buffer-overflow-remote-code-execution

Scores

CVSS v3 9.8

EPSS 0.0011

EPSS Percentile 29.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-787

Status published

Products (2)

Varaneckas/JAD Java Decompiler 1.5.8e-1kali1

varaneckas/jad_java_decompiler 1.5.8e-1kali1

Published Mar 28, 2026

Tracked Since Mar 29, 2026