Description
yTree 1.94-1.1 contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an excessively long argument to the application. Attackers can craft a malicious command-line argument containing shellcode and a return address to overwrite the stack and execute code in the application context.
Published: 2026-03-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stack‑based buffer overflow in yTree 1.94‑1.1. A local attacker can supply an overly long command‑line argument that overwrites the return address on the stack and injects shellcode, allowing arbitrary code to execute within the application's context.

Affected Systems

The affected product is yTree from the Werner vendor. The vulnerability applies to versions 1.94 through 1.1 as noted. There is no indication that later releases are affected or that other products share this flaw.

Risk and Exploitability

With a CVSS base score of 8.6 the vulnerability is considered high severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog, suggesting there is no widespread exploitation yet. However, because the flaw requires local execution rights, any local user with access to run yTree could abuse it to gain code execution, which poses a significant risk especially if the program runs with elevated privileges.

Generated by OpenCVE AI on March 28, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update yTree to a version that addresses the stack buffer overflow
  • Restrict local users from executing the vulnerable program unless necessary
  • Ensure the program runs under the least‑privilege account possible
  • If an update is not available, isolate the application or replace it with a vetted alternative
  • Monitor system logs for abnormal command‑line usage of yTree

Generated by OpenCVE AI on March 28, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description yTree 1.94-1.1 contains a stack-based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an excessively long argument to the application. Attackers can craft a malicious command-line argument containing shellcode and a return address to overwrite the stack and execute code in the application context.
Title yTree 1.94-1.1 Stack-Based Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-28T11:58:00.778Z

Reserved: 2026-03-28T11:28:58.958Z

Link: CVE-2016-20038

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-28T12:15:59.277

Modified: 2026-03-28T12:15:59.277

Link: CVE-2016-20038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:32:32Z

Weaknesses