{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/java_decompiler/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve","buffer_overflow","java_decompiler"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eJAD Java Decompiler version 1.5.8e-1kali1 and prior contains a critical stack-based buffer overflow vulnerability (CVE-2017-20227). An attacker can exploit this flaw by crafting a malicious input that, when processed by the \u003ccode\u003ejad\u003c/code\u003e command, overflows the stack buffer. This overflow can be leveraged to overwrite critical memory regions, allowing the attacker to inject and execute arbitrary code. The successful exploitation results in the execution of a return-oriented programming (ROP) chain, ultimately leading to the spawning of a shell with the privileges of the user running the vulnerable JAD decompiler. This vulnerability poses a significant risk to developers and systems utilizing the affected versions of JAD, particularly in environments where untrusted or externally sourced Java bytecode is routinely decompiled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious Java class file or other input designed to trigger the buffer overflow in JAD.\u003c/li\u003e\n\u003cli\u003eThe attacker lures a user or system into using the vulnerable JAD decompiler version 1.5.8e-1kali1 or prior to decompile the malicious input file using the \u003ccode\u003ejad\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eJAD attempts to process the overly long input string, exceeding the boundaries of a stack-based buffer.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow corrupts the stack, overwriting return addresses and other critical data.\u003c/li\u003e\n\u003cli\u003eThe attacker-controlled return addresses are used to construct a return-oriented programming (ROP) chain.\u003c/li\u003e\n\u003cli\u003eThe ROP chain executes a series of small code snippets already present in the JAD binary or system libraries to achieve a desired outcome, such as disabling security features or preparing for shell execution.\u003c/li\u003e\n\u003cli\u003eThe ROP chain prepares the environment and executes a system call to spawn a shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the context of the user running JAD.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2017-20227 can lead to arbitrary code execution, potentially granting an attacker complete control over the affected system. Given a CVSS v3.1 base score of 9.8 (Critical), this vulnerability poses a severe risk. The impact includes full compromise of confidentiality, integrity, and availability. The attack requires no privileges and no user interaction. This can enable lateral movement within a network, data exfiltration, installation of malware, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement a network-level block or alert for outbound connections originating from the system running the JAD decompiler, especially if the user routinely decompiles untrusted class files. (Log Source: \u003ccode\u003enetwork_connection\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003eMonitor process executions for the \u003ccode\u003ejad\u003c/code\u003e command with unusually long command-line arguments, indicative of a potential buffer overflow attempt. Deploy the provided Sigma rule for detection. (Log Source: \u003ccode\u003eprocess_creation\u003c/code\u003e)\u003c/li\u003e\n\u003cli\u003eConsider using alternative Java decompilers that are not vulnerable to this specific stack-based buffer overflow.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-28T12:16:01Z","date_published":"2026-03-28T12:16:01Z","id":"/briefs/2026-03-jad-decompiler-overflow/","summary":"JAD Java Decompiler 1.5.8e-1kali1 and prior is vulnerable to a stack-based buffer overflow, allowing attackers to execute arbitrary code by providing overly long input to the jad command leading to a return-oriented programming chain execution and shell spawning.","title":"JAD Java Decompiler Stack-Based Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-03-jad-decompiler-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Java_decompiler","version":"https://jsonfeed.org/version/1.1"}