Description
xwpe 1.5.30a-2.1 and prior contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying overly long input strings that exceed buffer boundaries. Attackers can craft malicious command-line arguments with 262 bytes of junk data followed by shellcode to overwrite the instruction pointer and achieve code execution or denial of service.
Published: 2026-03-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Apply Patch
AI Analysis

Impact

An attacker who can run commands on the same host can pass an improperly sized argument to the xWPE program. The program copies the argument into a fixed-size buffer without bound checking, allowing the input – a string as long as 262 bytes – to overwrite the stack frame and the instruction pointer. If the attacker includes shellcode after the junk data, the overwritten pointer redirects execution into the payload, giving local arbitrary‑code execution on the host or causing a crash.

Affected Systems

Identicalsoftware’s xWPE application, versions 1.5.30a‑2.1 and earlier, is affected by this stack‑based buffer overflow.

Risk and Exploitability

Severity is high with a CVSS score of 8.6, indicating that successful exploitation can compromise confidentiality, integrity, and availability. The attack requires local access and a crafted command‑line argument; EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, so the precise likelihood of exploitation remains uncertain. Nonetheless, the high score and local execution potential suggest a significant risk.

Generated by OpenCVE AI on March 28, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update xWPE to the latest version that contains the buffer‑overflow fix, if an update is available from Identicalsoftware.
  • If no update exists, restrict the use of the xWPE binary to trusted administrators or remove it from untrusted hosts.
  • Monitor system logs for repeated attempts to run xWPE with unusually long arguments and investigate any unexpected crashes.

Generated by OpenCVE AI on March 28, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description xwpe 1.5.30a-2.1 and prior contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying overly long input strings that exceed buffer boundaries. Attackers can craft malicious command-line arguments with 262 bytes of junk data followed by shellcode to overwrite the instruction pointer and achieve code execution or denial of service.
Title xwpe 1.5.30a-2.1 Stack-based Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-28T11:57:59.881Z

Reserved: 2026-03-28T11:27:46.362Z

Link: CVE-2016-20037

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-28T12:15:58.500

Modified: 2026-03-28T12:15:58.500

Link: CVE-2016-20037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:32:33Z

Weaknesses