Description
EKG Gadu 1.9~pre+r2855-3+b1 contains a local buffer overflow vulnerability in the username handling that allows local attackers to execute arbitrary code by supplying an oversized username string. Attackers can trigger the overflow in the strlcpy function by passing a crafted buffer exceeding 258 bytes to overwrite the instruction pointer and execute shellcode with user privileges.
Published: 2026-03-28
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Local Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a local buffer overflow in the username handling routine of EKG Gadu 1.9, triggered by passing an overly long username string to the strlcpy function. When the string exceeds 258 bytes, the function overflows the buffer, overwriting the instruction pointer and enabling an attacker with local access to execute injected shellcode under the privileges of the victim user.

Affected Systems

The product affected is EKG Gadu version 1.9 (build 1.9~pre+r2855-3+b1) from vendor EKG:EKG Gadu.

Risk and Exploitability

With a CVSS score of 8.6, this issue is considered high severity. The exploit requires local user access and does not appear dependent on any network exposure; however, any local user can trigger arbitrary code execution. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating a moderate potential for exploitation but no known widespread attacks.

Generated by OpenCVE AI on March 28, 2026 at 13:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade EKG Gadu to a current release that removes the vulnerable strlcpy call.
  • If an upgrade is not immediately possible, eliminate or tightly restrict local accounts that can supply arbitrary usernames.
  • Verify that the application no longer accepts usernames larger than 258 bytes and test with boundary values.

Generated by OpenCVE AI on March 28, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Ekg
Ekg ekg Gadu
Vendors & Products Ekg
Ekg ekg Gadu

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description EKG Gadu 1.9~pre+r2855-3+b1 contains a local buffer overflow vulnerability in the username handling that allows local attackers to execute arbitrary code by supplying an oversized username string. Attackers can trigger the overflow in the strlcpy function by passing a crafted buffer exceeding 258 bytes to overwrite the instruction pointer and execute shellcode with user privileges.
Title EKG Gadu 1.9 Local Buffer Overflow via Username Parameter
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ekg Ekg Gadu
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-30T17:30:50.428Z

Reserved: 2026-03-28T11:40:17.377Z

Link: CVE-2016-20047

cve-icon Vulnrichment

Updated: 2026-03-30T17:30:35.847Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-28T12:16:01.013

Modified: 2026-03-30T13:26:07.647

Link: CVE-2016-20047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:18Z

Weaknesses