Description
xwpe 1.5.30a-2.1 and prior contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying overly long input strings that exceed buffer boundaries. Attackers can craft malicious command-line arguments with 262 bytes of junk data followed by shellcode to overwrite the instruction pointer and achieve code execution or denial of service.
Published: 2026-03-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Apply Patch
AI Analysis

Impact

An attacker who can run commands on the same host can pass an improperly sized argument to the xWPE program. The program copies the argument into a fixed-size buffer without bound checking, allowing the input – a string as long as 262 bytes – to overwrite the stack frame and the instruction pointer. If the attacker includes shellcode after the junk data, the overwritten pointer redirects execution into the payload, giving local arbitrary‑code execution on the host or causing a crash.

Affected Systems

Identicalsoftware’s xWPE application, versions 1.5.30a‑2.1 and earlier, is affected by this stack‑based buffer overflow.

Risk and Exploitability

Severity is high with a CVSS score of 8.6, indicating that successful exploitation can compromise confidentiality, integrity, and availability. The attack requires local access and a crafted command‑line argument; EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, so the precise likelihood of exploitation remains uncertain. Nonetheless, the high score and local execution potential suggest a significant risk.

Generated by OpenCVE AI on March 28, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update xWPE to the latest version that contains the buffer‑overflow fix, if an update is available from Identicalsoftware.
  • If no update exists, restrict the use of the xWPE binary to trusted administrators or remove it from untrusted hosts.
  • Monitor system logs for repeated attempts to run xWPE with unusually long arguments and investigate any unexpected crashes.

Generated by OpenCVE AI on March 28, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Identicalsoftware
Identicalsoftware xwpe
Vendors & Products Identicalsoftware
Identicalsoftware xwpe

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description xwpe 1.5.30a-2.1 and prior contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying overly long input strings that exceed buffer boundaries. Attackers can craft malicious command-line arguments with 262 bytes of junk data followed by shellcode to overwrite the instruction pointer and achieve code execution or denial of service.
Title xwpe 1.5.30a-2.1 Stack-based Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Identicalsoftware Xwpe
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T14:53:42.980Z

Reserved: 2026-03-28T11:27:46.362Z

Link: CVE-2016-20037

cve-icon Vulnrichment

Updated: 2026-03-30T12:51:14.647Z

cve-icon NVD

Status : Deferred

Published: 2026-03-28T12:15:58.500

Modified: 2026-05-01T15:21:32.393

Link: CVE-2016-20037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:27Z

Weaknesses