CVE-2016-20049: JAD Java Decompiler Stack Buffer Overflow
A stack-based buffer overflow vulnerability has been formally published to the NIST National Vulnerability Database for JAD (Java Decompiler), tracked as CVE-2016-20049 (CVSS 9.8, Critical). The flaw exists in JAD versions 1.5.8e-1kali1 and prior — the Kali Linux-packaged release of the widely used Java decompiler — and allows attackers to execute arbitrary code by supplying oversized input strings that exceed internal buffer boundaries and overwrite the stack return address.
This CVE was published to the NVD on March 28, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2016-20049 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-121 — Stack-Based Buffer Overflow |
| Affected Product | JAD 1.5.8e-1kali1 and prior |
| Attack Vector | Local / File-based |
| Privileges Required | None |
| User Interaction | None (automated processing contexts) |
| Patch Available | See vendor guidance |
Technical Background
JAD is a widely used command-line Java decompiler that converts compiled .class bytecode back to readable Java source. It is distributed as part of the Kali Linux security toolkit and is commonly used by security researchers, penetration testers, and developers for reverse engineering Java applications, analyzing malware, or recovering lost source code.
The vulnerability arises from inadequate boundary checking when JAD processes input strings. When user-supplied input or data from a class file being decompiled exceeds 8150 bytes, the string overflows an internal stack buffer. Because no bounds checking is performed on the copy operation, the overflow writes past the end of the buffer and into adjacent stack memory — including the saved return address. This allows an attacker to redirect execution to attacker-controlled data.
Exploitation Mechanics
Normal Stack Frame:
┌─────────────────┐
│ Return Address │ ← Safe, points to legitimate code
│ Saved EBP │
│ buf[8150] │ ← Input copied here
└─────────────────┘
After Overflow (input > 8150 bytes):
┌─────────────────┐
│ 0x41414141 │ ← OVERWRITTEN — attacker controls this
│ OVERWRITTEN │ ← Saved EBP smashed
│ AAAA...AAAA │ ← Oversized input fills buffer and beyond
└─────────────────┘
Attackers can leverage this by:
- Constructing an input string or crafted
.classfile exceeding 8150 bytes - Embedding a ROP (Return-Oriented Programming) chain or shellcode within the payload
- Overwriting the stack return address with a pointer into attacker-controlled memory
- Upon function return, execution redirects to the attacker's payload
Attack Scenarios
Scenario 1: Malicious Class File Processing
An attacker distributes a specially crafted .class file designed to trigger the overflow when decompiled:
# Victim decompiles a "received" class file
jad -s java malicious.class
→ Stack overflow triggered during processing
→ Attacker code executes with victim's privileges
This is especially dangerous in automated pipelines where JAD is used for batch decompilation without manual review.
Scenario 2: Pentest Tool Weaponization
Penetration testers running JAD against client-provided artifacts could inadvertently trigger the vulnerability if the target supplies a crafted file. In CTF and research environments, this could be leveraged for lateral movement.
Scenario 3: CI/CD Pipeline Compromise
Organizations using JAD in automated build or analysis pipelines that process untrusted third-party JAR files could be vulnerable if an attacker can introduce malicious class files into the input stream.
Severity Context
The CVSS 9.8 score reflects several compounding factors:
- No authentication required: Exploitation requires only access to the binary and a crafted input
- Arbitrary code execution: Full control of the execution flow, not limited to denial of service
- Privilege inheritance: Executes with the same privileges as the user running JAD (often elevated in security tooling contexts)
- Prevalent in security tooling: JAD's Kali Linux package makes it broadly deployed among security practitioners
- ROP exploitation: Modern systems with ASLR can still be compromised via ROP chains that bypass address randomization
Remediation
Primary Fix
Upgrade JAD to a patched version. As JAD's original development ceased years ago, users should evaluate alternative actively-maintained Java decompilers such as:
- Fernflower (integrated in IntelliJ IDEA / CFR)
- CFR (actively maintained, available at
https://www.benf.org/other/cfr/) - Procyon (open-source, actively maintained)
- jadx (modern alternative with GUI support)
Immediate Mitigations
1. Avoid processing untrusted class files with JAD:
Never run JAD against class files from unknown or untrusted sources. Treat class files from external parties as potentially malicious.
2. Run JAD in an isolated environment:
# Use a container to sandbox JAD execution
docker run --rm -v /path/to/classes:/work openjdk:11 bash -c \
"jad -s java /work/Suspicious.class"3. Input length validation (custom wrapper):
If JAD must be used, wrap it with input size validation:
#!/bin/bash
# Check class file size before decompiling
MAX_SIZE=8000
FILE="$1"
SIZE=$(wc -c < "$FILE")
if [ "$SIZE" -gt "$MAX_SIZE" ]; then
echo "ERROR: Input file exceeds safe size limit ($SIZE bytes > $MAX_SIZE)" >&2
exit 1
fi
jad "$FILE"4. Monitor for anomalous behavior:
Watch for unexpected process spawning from JAD invocations:
# Audit JAD executions in automated pipelines
auditctl -w /usr/bin/jad -p x -k jad_executionDetection
Monitor for signs of exploitation in environments using JAD:
- Unexpected child processes spawned from JAD
- Unusually large
.classfiles being processed (> 8 KB input strings) - Segmentation faults or core dumps from JAD processes
- Network connections originating from JAD process (shell callbacks)
Impact Assessment
| Impact Area | Description |
|---|---|
| Code Execution | Arbitrary code execution with JAD process privileges |
| System Compromise | Full machine compromise if JAD runs as elevated user |
| CI/CD Risk | Automated pipelines processing untrusted JARs are at high risk |
| Security Tool Context | Predominantly affects security researchers and penetration testers |
| Exploitation Barrier | Low — requires only a crafted input file, no authentication |
Key Takeaways
- CVE-2016-20049 is a CVSS 9.8 Critical stack buffer overflow in JAD 1.5.8e-1kali1 and prior
- Input strings exceeding 8150 bytes overflow the stack and enable arbitrary code execution
- Kali Linux users who have JAD installed should switch to actively maintained alternatives
- Never run JAD against untrusted
.classfiles without sandboxing - Consider replacing JAD with modern alternatives (jadx, CFR, Fernflower) which receive active security maintenance