CWE-122: CWE-122: Heap-based Buffer Overflow

VariantStable

Description

View on MITRE
Back to CWE Lookup

Technical Details

Structure
Simple
Vulnerability Mapping
ALLOWED

Applicable To

Languages
Languages
Platforms
Languages

Frequently Asked Questions

What is CWE-122: CWE-122: Heap-based Buffer Overflow?+

CWE-122: CWE-122: Heap-based Buffer Overflow is a Common Weakness Enumeration (CWE) entry maintained by MITRE. Description

What are the security consequences of CWE-122: Heap-based Buffer Overflow?+

If exploited, CWE-122 (CWE-122: Heap-based Buffer Overflow) it can compromise DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory) and Execute Unauthorized Code or Commands, leading to outcomes such as Scope: Availability Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop., Scope: Integrity, Confidentiality, Availability and Access Control Buffer overflows often can be used to execute arbitrary code.

How do you prevent or mitigate CWE-122: Heap-based Buffer Overflow?+

Recommended mitigations for CWE-122 include: Pre-design: Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution. Strategy: Environment Hardening Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [ REF-1334 ] discusses canary-based detection in detail. Effectiveness: Defense in Depth Note: This is not necessarily a complete solution, since these mechanisms only detect certain types of overflows. In addition, the result is still a denial of service, since the typical response is to exit the application.

Which programming languages are affected by CWE-122: Heap-based Buffer Overflow?+

CWE-122 commonly affects Languages. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-122 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More