CWE-122 Detail

CWE-122

Heap-based Buffer Overflow
Hoog
Draft
2006-07-19
00h00 +00:00
2026-01-21
00h00 +00:00
CWE Mitre.org
Meldingen voor een CWE
Blijf op de hoogte van wijzigingen voor een specifieke CWE.
Meldingen beheren

Naam: Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Algemene informatie

Introductiemodi

Implementation

Toepasselijke platforms

Taal

Class: Memory-Unsafe (Often)
Name: C (Often)
Name: C++ (Often)

Technologieën

Class: Not Technology-Specific (Undetermined)

Veelvoorkomende gevolgen

Bereik Impact Waarschijnlijkheid
AvailabilityDoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Note: Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.
Integrity
Confidentiality
Availability
Access Control		Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Modify Memory

Note: Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.
Integrity
Confidentiality
Availability
Access Control
Other		Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Other

Note: When the consequence is arbitrary code execution, this can often be used to subvert any other security service.

Waargenomen voorbeelden

Referenties Beschrijving

CVE-2025-46687

Chain: Javascript engine code does not perform a length check (CWE-1284) leading to integer overflow (CWE-190) causing allocation of smaller buffer than expected (CWE-131) resulting in a heap-based buffer overflow (CWE-122)

CVE-2021-43537

Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)

CVE-2007-4268

Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)

CVE-2009-2523

Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).

CVE-2021-29529

Chain: machine-learning product can have a heap-based buffer overflow (CWE-122) when some integer-oriented bounds are calculated by using ceiling() and floor() on floating point values (CWE-1339)

CVE-2010-1866

Chain: integer overflow (CWE-190) causes a negative signed value, which later bypasses a maximum-only check (CWE-839), leading to heap-based buffer overflow (CWE-122).

Mogelijke risicobeperkingen

Pre-design: Use a language or compiler that performs automatic bounds checking.
Phases : Architecture and Design
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Phases : Operation // Build and Compilation
Phases : Operation // Build and Compilation
Phases : Implementation
Implement and perform bounds checking on input.
Phases : Implementation
Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Phases : Operation
Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.

Detectiemethoden

Fuzzing

Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Effectiviteit : High

Automated Dynamic Analysis

Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Effectiviteit : Moderate

Notities kwetsbaarheidsmapping

Rechtvaardiging : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Opmerking : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.

Gerelateerde aanvalspatronen

CAPEC-ID Naam aanvalspatroon
CAPEC-92 Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Notities

There is significant inconsistency regarding the "buffer overflow" term, which can have multiple interpretations and uses. Many people mean "writing past the end of a buffer." Others mean "writing past the end of a buffer, or before the beginning of a buffer." Still others might include "read" in the term.

Referenties

REF-7

Writing Secure Code
Michael Howard, David LeBlanc.
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223

REF-44

24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, John Viega.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-62

The Art of Software Security Assessment
Mark Dowd, John McDonald, Justin Schuh.

REF-58

Address Space Layout Randomization in Windows Vista
Michael Howard.
https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista

REF-60

PaX
https://en.wikipedia.org/wiki/Executable_space_protection#PaX

REF-64

Position Independent Executables (PIE)
Grant Murphy.
https://www.redhat.com/en/blog/position-independent-executables-pie

REF-18

The CLASP Application Security Process
Secure Software, Inc..
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf

REF-1337

Bypassing Browser Memory Protections: Setting back browser security by 10 years
Alexander Sotirov and Mark Dowd.
https://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf

REF-1332

Prelink and address space randomization
John Richard Moser.
https://lwn.net/Articles/190139/

REF-1333

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh.
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf

REF-1334

Stack Frame Canary Validation (D3-SFCV)
D3FEND.
https://d3fend.mitre.org/technique/d3f:StackFrameCanaryValidation/

REF-1335

Segment Address Offset Randomization (D3-SAOR)
D3FEND.
https://d3fend.mitre.org/technique/d3f:SegmentAddressOffsetRandomization/

REF-1477

Secure by Design Alert: Eliminating Buffer Overflow Vulnerabilities
Cybersecurity and Infrastructure Security Agency.
https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities

REF-1518

AddressSanitizer
https://clang.llvm.org/docs/AddressSanitizer.html

Indiening

Naam Organisatie Datum Releasedatum Version
CLASP 2006-07-19 +00:00 2006-07-19 +00:00 Draft 3

Wijzigingen

Naam Organisatie Datum Opmerking
Eric Dalci Cigital 2008-07-01 +00:00 updated Potential_Mitigations, Time_of_Introduction
KDM Analytics 2008-08-01 +00:00 added/updated white box definitions
CWE Content Team MITRE 2008-09-08 +00:00 updated Applicable_Platforms, Common_Consequences, Relationships, Other_Notes, Taxonomy_Mappings, Weakness_Ordinalities
CWE Content Team MITRE 2008-11-24 +00:00 updated Common_Consequences, Other_Notes, Relationship_Notes
CWE Content Team MITRE 2009-01-12 +00:00 updated Common_Consequences, Relationships
CWE Content Team MITRE 2009-10-29 +00:00 updated Relationships
CWE Content Team MITRE 2010-02-16 +00:00 updated References
CWE Content Team MITRE 2011-06-01 +00:00 updated Common_Consequences
CWE Content Team MITRE 2012-05-11 +00:00 updated Demonstrative_Examples, References, Relationships
CWE Content Team MITRE 2012-10-30 +00:00 updated Demonstrative_Examples
CWE Content Team MITRE 2013-02-21 +00:00 updated Demonstrative_Examples, Potential_Mitigations
CWE Content Team MITRE 2014-06-23 +00:00 updated Observed_Examples
CWE Content Team MITRE 2014-07-30 +00:00 updated Relationships, Taxonomy_Mappings
CWE Content Team MITRE 2017-11-08 +00:00 updated Causal_Nature, Likelihood_of_Exploit, Observed_Examples, References, Relationships, Taxonomy_Mappings, White_Box_Definitions
CWE Content Team MITRE 2018-03-27 +00:00 updated References
CWE Content Team MITRE 2019-01-03 +00:00 updated Relationships
CWE Content Team MITRE 2020-02-24 +00:00 updated Relationships
CWE Content Team MITRE 2021-03-15 +00:00 updated References
CWE Content Team MITRE 2021-07-20 +00:00 updated Observed_Examples
CWE Content Team MITRE 2023-04-27 +00:00 updated Detection_Factors, Potential_Mitigations, References, Relationships, Time_of_Introduction
CWE Content Team MITRE 2023-06-29 +00:00 updated Mapping_Notes
CWE Content Team MITRE 2023-10-26 +00:00 updated Observed_Examples
CWE Content Team MITRE 2024-02-29 +00:00 updated Observed_Examples, Taxonomy_Mappings
CWE Content Team MITRE 2025-04-03 +00:00 updated Applicable_Platforms
CWE Content Team MITRE 2025-09-09 +00:00 updated Functional_Areas, References
CWE Content Team MITRE 2025-12-11 +00:00 updated Alternate_Terms, Applicable_Platforms, Detection_Factors, Observed_Examples, References, Relationship_Notes, Terminology_Notes
CWE Content Team MITRE 2026-01-21 +00:00 updated Relationships
De informatie die op CVE Find wordt gepresenteerd, is afkomstig van verschillende zorgvuldig geselecteerde referentiebronnen. CVE-gegevens worden geleverd door MITRE Corporation en de National Vulnerability Database (NVD). De Known Exploited Vulnerabilities (KEV)-catalogus is afkomstig van de Cybersecurity and Infrastructure Security Agency (CISA), terwijl EPSS-scores afkomstig zijn van FIRST.org. Daarnaast worden gegevens over softwarezwakheden (CWE) en veelvoorkomende aanvalspatronen (CAPEC) bijgehouden door MITRE Corporation, en informatie over hardware- en softwareconfiguraties (CPE) wordt geleverd door de NVD.