Description
JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying oversized input that exceeds buffer boundaries. Attackers can craft malicious input strings exceeding 8150 bytes to overflow the stack, overwrite return addresses, and execute shellcode in the application context.
Published: 2026-03-28
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

JAD 1.5.8e-1kali1 contains a stack‑based buffer overflow that lets an attacker supply an input string larger than 8,150 bytes. The overflow corrupts the return address on the stack, enabling the attacker to inject and execute arbitrary shellcode within the Java Decompiler process. This flaw, classified as CWE‑787, results in a complete loss of control over the application’s execution flow and introduces confidentiality, integrity, and availability risks.

Affected Systems

The vulnerability affects Varaneckas JAD Java Decompiler versions 1.5.8e‑1kali1 and all earlier releases. Any system that runs these versions and accepts externally supplied input is susceptible to exploitation.

Risk and Exploitability

The CVSS score of 9.3 indicates a very high severity, and the absence of an EPSS score does not reduce the likelihood of attack because the flaw can be triggered by a simple oversized input. The vulnerability is not listed in the CISA KEV catalog, yet it remains capable of exploitation in the wild; attackers can deliver the malicious payload remotely by crafting a large string or file. Consequently, the threat is urgent and demands immediate action to mitigate the risk.

Generated by OpenCVE AI on March 28, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JAD Java Decompiler to a version newer than 1.5.8e‑1kali1.
  • If an upgrade is not possible, uninstall the vulnerable software from the environment.
  • If removal is not feasible, restrict the application’s exposure by blocking or monitoring input that exceeds normal size limits.
  • Monitor logs and network traffic for anomalous payloads that exceed 8,150 bytes to detect potential exploitation attempts.

Generated by OpenCVE AI on March 28, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Varaneckas
Varaneckas jad Java Decompiler
Vendors & Products Varaneckas
Varaneckas jad Java Decompiler

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description JAD 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying oversized input that exceeds buffer boundaries. Attackers can craft malicious input strings exceeding 8150 bytes to overflow the stack, overwrite return addresses, and execute shellcode in the application context.
Title JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow Remote Code Execution
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Varaneckas Jad Java Decompiler
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-28T11:58:09.080Z

Reserved: 2026-03-28T11:42:00.467Z

Link: CVE-2016-20049

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-28T12:16:01.407

Modified: 2026-03-28T12:16:01.407

Link: CVE-2016-20049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T06:59:16Z

Weaknesses