CVE-2017-20225: TiEmu Stack Buffer Overflow via Command-Line Arguments
A stack-based buffer overflow vulnerability has been formally published to the NIST National Vulnerability Database for TiEmu, the open-source Texas Instruments calculator emulator, tracked as CVE-2017-20225 (CVSS 9.8, Critical). The flaw affects TiEmu version 2.08 and prior and can be triggered by passing an oversized string as a command-line argument, causing a stack smash that allows an attacker to execute arbitrary code — including via ROP (Return-Oriented Programming) chains to bypass address space layout randomization.
This CVE was published to the NVD on March 28, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-20225 |
| CVSS Score | 9.8 (Critical) |
| CWE Classification | CWE-121 — Stack-Based Buffer Overflow |
| Affected Product | TiEmu 2.08 and prior |
| Attack Vector | Local (command-line argument) |
| Privileges Required | None |
| User Interaction | None (in automated/scripted contexts) |
| Patch Available | See vendor guidance |
Technical Background
TiEmu is an open-source emulator for Texas Instruments TI-68k based calculators, including the TI-89, TI-92, and TI-92 Plus. It is used by educators, students, and security researchers to run TI-BASIC programs and calculator ROM images on desktop systems without physical hardware. TiEmu is distributed in various Linux repositories and has historically been included in educational software collections.
The vulnerability stems from inadequate boundary checking when TiEmu processes command-line arguments. When an argument string of sufficient length is passed to the binary, it overflows an internal stack-allocated buffer. The overflow writes past the buffer boundary and over adjacent stack memory, including the saved return address, enabling control of the instruction pointer upon function return.
Exploitation Mechanics
An attacker triggers the vulnerability by invoking TiEmu with an oversized argument:
$ tiemu --rom ti89.rom $(python3 -c "print('A'*9999)")
The oversized string is copied into a stack buffer without bounds checking:
Stack frame before overflow:
┌────────────────────┐
│ Return Address │ ← Legitimate return pointer
│ Saved Frame Ptr │
│ stack_buf[N] │ ← Vulnerable buffer starts here
└────────────────────┘
Stack frame after overflow:
┌────────────────────┐
│ 0x41414141 │ ← Return address overwritten with 'AAAA'
│ 0x41414141 │ ← Saved FP smashed
│ AAAA...AAAA │ ← Buffer filled with attacker input
└────────────────────┘
ROP Chain Exploitation
On systems with ASLR and NX/DEP enabled, a direct shellcode injection may not be sufficient. However, the overflow can be weaponized using Return-Oriented Programming:
- Locate ROP gadgets within TiEmu binary or its linked libraries (e.g., libc, GTK)
- Chain gadgets together to build a sequence that achieves the desired outcome (spawn shell, write file, etc.)
- Overwrite return address with the first gadget's address
- Bypass ASLR via information leaks or bruteforce in low-entropy environments
ROP chain example (conceptual):
payload = b'A' * offset
payload += p64(gadget_pop_rdi) # pop rdi; ret
payload += p64(addr_of_bin_sh) # "/bin/sh"
payload += p64(addr_of_system) # system()
Attack Scenarios
Scenario 1: Direct Invocation
An attacker with access to the system or the ability to influence how TiEmu is invoked (e.g., a script processing user-provided calculator ROM filenames) can trigger the overflow directly:
tiemu "$(python3 -c "import sys; sys.stdout.buffer.write(b'A' * 10000)")"Scenario 2: Malicious ROM File with Long Filename
Automated workflows that pass ROM file paths to TiEmu as command-line arguments could be exploited if an attacker supplies a specially crafted long filename:
/path/to/AAAA...AAAA[8000+ chars].rom
Scenario 3: Educational Platform Abuse
In environments where TiEmu is deployed for students or automated calculator simulation (e.g., online coding judges, educational CTF platforms), an attacker could supply a malicious calculator program filename to trigger the overflow.
Severity Context
Despite TiEmu's niche use case, the CVSS 9.8 score is justified by:
- No authentication required: Any user who can invoke TiEmu with attacker-controlled arguments can trigger the flaw
- Full code execution: The overflow enables complete control of the execution flow
- ROP chain viability: Modern exploitation techniques allow bypassing NX/ASLR
- Scripted environment risk: Educational and automation environments often invoke TiEmu non-interactively with user-supplied input
- No patch for EOL software: TiEmu 2.08 development has stalled, meaning no upstream fix is forthcoming
Remediation
Primary Fix
As TiEmu is effectively unmaintained (last active development in the early 2010s), users should evaluate whether TiEmu is still required or whether it can be replaced with:
- TilEm — An actively maintained alternative TI calculator emulator for Linux
- Firebird Emu — Cross-platform TI emulator with ongoing development
- Virtual TI — Windows-based TI-89/92 emulator alternative
Immediate Mitigations
1. Validate argument length before passing to TiEmu:
#!/bin/bash
# Wrapper script with argument length validation
MAX_ARG_LEN=4096
for arg in "$@"; do
if [ "${#arg}" -gt "$MAX_ARG_LEN" ]; then
echo "ERROR: Argument exceeds safe length limit" >&2
exit 1
fi
done
exec tiemu "$@"2. Run TiEmu in a sandboxed environment:
# Sandbox with firejail
firejail --noprofile tiemu "$ROM_PATH"
# Or use a container
docker run --rm -v "$ROM_PATH:/rom.rom" tiemu-container tiemu /rom.rom3. Apply strict SELinux or AppArmor policy:
Configure mandatory access control to prevent TiEmu from spawning shells or making unexpected network connections, limiting the impact of successful exploitation.
Detection
In automated environments using TiEmu:
- Monitor for abnormally long command-line arguments passed to the TiEmu process
- Watch for unexpected child processes (shell invocations) from TiEmu
- Set up core dump alerts for TiEmu crashes — repeated crashes may indicate exploitation attempts
- Audit invocations with arguments exceeding typical ROM path lengths
# Audit rule for TiEmu execution (auditd)
auditctl -a always,exit -F arch=b64 -S execve \
-F exe=/usr/bin/tiemu -k tiemu_execImpact Assessment
| Impact Area | Description |
|---|---|
| Code Execution | Arbitrary code execution with TiEmu process privileges |
| Privilege Escalation | If TiEmu runs setuid or in elevated context, full privilege escalation |
| Educational Platform Risk | Platforms using TiEmu for student calculator simulation |
| Automation Risk | Scripts that pass user-controlled filenames to TiEmu |
| Exploitation Barrier | Low — single command invocation with oversized argument |
| Patch Availability | None — TiEmu development is stalled |
Key Takeaways
- CVE-2017-20225 is a CVSS 9.8 Critical stack buffer overflow in TiEmu 2.08 and prior
- Triggered by oversized command-line arguments that overflow a stack buffer and overwrite the return address
- ROP chain exploitation enables bypassing ASLR and NX memory protections on modern systems
- TiEmu is effectively unmaintained — migrate to an actively supported alternative (TilEm, Firebird Emu)
- Automated pipelines passing user-controlled strings as TiEmu arguments are at highest risk
- Apply sandbox isolation and argument length validation if TiEmu cannot be immediately replaced