Description
JAD Java Decompiler 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying overly long input that exceeds buffer boundaries. Attackers can craft malicious input passed to the jad command to overflow the stack and execute a return-oriented programming chain that spawns a shell.
Published: 2026-03-28
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stack‐based buffer overflow in JAD Java Decompiler 1.5.8e‑1kali1 and earlier releases. Malicious input that exceeds the defined buffer size triggers the overflow, allowing direct overwrite of the return address. An attacker can exploit this through the command‑line interface, inject arbitrary code, and spawn a shell, resulting in complete compromise of the host on which JAD is executed. This weakness falls under CWE‑787 and carries critical severity.

Affected Systems

Varaneckas’ JAD Java Decompiler, versions 1.5.8e‑1kali1 and all prior versions are vulnerable. The product is used for reverse engineering Java bytecode, and the flaw is located in the command‑line parsing logic. Any environment that uses these releases for decompilation tasks is at risk if the software is run by attackers or by compromised processes.

Risk and Exploitability

The CVSS base score is 9.3, indicating a high‑severity remote code execution flaw. The EPSS score is below 1 %, suggesting that publicly observed exploitation is rare at present, though the risk remains if an attacker can supply crafted input. The vulnerability is not listed in the CISA KEV catalog, but if an attacker can invoke Jad locally or through a compromised build pipeline, they can achieve arbitrary code execution with minimal prerequisites. The attack does not require elevated privileges, but higher privileges will increase damage potential. Organizations should consider the flaw as a critical exposure that warrants immediate mitigation.

Generated by OpenCVE AI on April 8, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install an up‑to‑date, non‑vulnerable decompiler or uninstall JAD if it is not required.
  • If the decompiler must remain, run it under the least‑privileged account and, if possible, in a sandboxed environment.
  • Enable operating‑system defenses such as stack protection, Data Execution Prevention, and Address Space Layout Randomization.
  • Monitor logs for unexpected shell invocations or unfamiliar processes that may indicate exploitation.

Generated by OpenCVE AI on April 8, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:varaneckas:jad_java_decompiler:1.5.8e-1kali1:*:*:*:*:*:*:*

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Varaneckas
Varaneckas jad Java Decompiler
Vendors & Products Varaneckas
Varaneckas jad Java Decompiler

Sat, 28 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Description JAD Java Decompiler 1.5.8e-1kali1 and prior contains a stack-based buffer overflow vulnerability that allows attackers to execute arbitrary code by supplying overly long input that exceeds buffer boundaries. Attackers can craft malicious input passed to the jad command to overflow the stack and execute a return-oriented programming chain that spawns a shell.
Title JAD 1.5.8e-1kali1 Stack-Based Buffer Overflow
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Varaneckas Jad Java Decompiler
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T13:59:49.724Z

Reserved: 2026-03-28T11:44:17.954Z

Link: CVE-2017-20227

cve-icon Vulnrichment

Updated: 2026-04-01T13:59:43.830Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-28T12:16:01.993

Modified: 2026-04-08T19:37:26.690

Link: CVE-2017-20227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:29:31Z

Weaknesses