A critical stack-based buffer overflow in the JAD Java Decompiler allows local attackers to execute arbitrary code by supplying maliciously crafted input that exceeds buffer boundaries.

This is a stack-based buffer overflow occurring within the jad command-line utility. An attacker can provide an unauthenticated, overly long input string that overflows the stack, allowing for the execution of a return-oriented programming (ROP) chain to spawn a shell.

A successful exploit allows an attacker to gain the same privileges as the user running the JAD utility. In environments where developers or automated systems process untrusted Java files, this could lead to full workstation compromise or lateral movement within the build pipeline. The CVSS score of 9.8 reflects the critical nature of arbitrary code execution, despite the requirement for local interaction.

Immediate Action: Update the JAD Java Decompiler to the latest available version or migrate to a maintained alternative, as this version is officially deprecated in many distributions.

Proactive Monitoring: Monitor system logs for unusual shell activity originating from the jad process and implement execution prevention on untrusted binaries.

Compensating Controls: Utilize sandboxing or containerization when running decompilation tasks on untrusted files to isolate the impact of potential exploitation.

Public Exploit Available: false

The severity of a stack-based buffer overflow in a development tool cannot be overstated, as it targets the integrity of the software supply chain. Organizations should immediately identify systems running legacy versions of JAD and apply updates or replace the software with modern, secure decompilers.