Description
Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones Clock configuration. Attackers can craft a buffer with structured exception handling overwrite and encoded shellcode to bypass SafeSEH protections and execute arbitrary commands with application privileges.
Published: 2026-05-13
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Atomic Alarm Clock version 6.3 suffers from a stack buffer overflow in the Time Zones Clock configuration. A local attacker can input a malicious string into the display name textbox that overwrites the Structured Exception Handling (SEH) pointer and carries encoded shellcode. Because SafeSEH protection is bypassed, the overflow allows the attacker to hijack execution flow and run arbitrary code with the application’s credentials. This vulnerability enables local arbitrary code execution, potentially leading to privilege escalation if the application runs with elevated privileges.

Affected Systems

The flaw affects only Atomic Alarm Clock 6.3 from Drive-software; no other vendors or product versions are listed as impacted.

Risk and Exploitability

The CVSS base score of 8.6 indicates high severity, and the vulnerability remains unchecked by the CISA Known Exploited Vulnerabilities catalog. EPSS is not available, so the overall exploitation probability cannot be quantified, but the absence of documented widespread exploitation suggests it is not yet a known active threat. The attack requires local interaction with the application’s Time Zones Clock configuration, meaning any user who can launch Atom Alarm Clock on the affected system can potentially trigger the overflow. The use of SEH overwrite and encoded shellcode demonstrates that the attack vector is local via the application interface, with the primary risk being local arbitrary code execution.

Generated by OpenCVE AI on May 13, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch that fixes the SEH overwrite in the display name textbox of the Time Zones Clock configuration (upgrade to a newer version if available).
  • Disable or remove access to the Time Zones Clock configuration feature so that no user can enter data into the vulnerable textbox.
  • Add input validation to the display name textbox to limit its length to a safe maximum (e.g., 256 characters) to prevent buffer overflow attempts.

Generated by OpenCVE AI on May 13, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Drive-software
Drive-software atomic Alarm Clock
Vendors & Products Drive-software
Drive-software atomic Alarm Clock

Wed, 13 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Atomic Alarm Clock 6.3 contains a stack overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string to the display name textbox in the Time Zones Clock configuration. Attackers can craft a buffer with structured exception handling overwrite and encoded shellcode to bypass SafeSEH protections and execute arbitrary commands with application privileges.
Title Atomic Alarm Clock 6.3 Stack Overflow via SEH Unicode
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Drive-software Atomic Alarm Clock
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-13T15:32:56.655Z

Reserved: 2026-05-13T13:55:54.828Z

Link: CVE-2020-37221

cve-icon Vulnrichment

Updated: 2026-05-13T15:32:43.130Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-13T16:16:33.570

Modified: 2026-05-13T17:26:28.013

Link: CVE-2020-37221

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:34:20Z

Weaknesses