CWE-787: Out-of-bounds Write

BaseDraftExploit Likelihood: High🏆 #2 in Top 25 (2024)

The product writes data past the end, or before the beginning, of the intended buffer.

View on MITRE
3,842Related CVEs
43.67Severity Score
Back to CWE Lookup

Technical Details

Structure
Simple

Applicable To

Languages
CC++Assembly
Platforms

🏆 CWE Top 25 Historical Ranking

2023:#1
Score: 63.72
3,116 CVEs
2024:#2↓1
Score: 43.67
3,842 CVEs
Trend:Improving (moved up 1 ranks)

Frequently Asked Questions

What is CWE-787: Out-of-bounds Write?+

CWE-787: Out-of-bounds Write is a Common Weakness Enumeration (CWE) entry maintained by MITRE. The product writes data past the end, or before the beginning, of the intended buffer.

Is CWE-787 in the CWE Top 25 Most Dangerous Software Weaknesses?+

Yes. CWE-787 ranked #2 in the CWE Top 25 for 2024, associated with 3,842 CVEs that year. The CWE Top 25 highlights the most common and impactful software weaknesses based on real-world vulnerability data.

What are the security consequences of Out-of-bounds Write?+

If exploited, CWE-787 (Out-of-bounds Write) it can compromise Integrity, Availability and Other, leading to outcomes such as Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart and Unexpected State.

Which programming languages are affected by Out-of-bounds Write?+

CWE-787 commonly affects C, C++ and Assembly. Note that weaknesses are often language-agnostic patterns, so secure coding practices apply broadly.

What are real-world examples of Out-of-bounds Write?+

MITRE documents real CVEs mapped to CWE-787, including CVE-2025-27363, CVE-2023-1017, CVE-2021-21220, CVE-2021-28664 and CVE-2020-17087. You can look up the full details of each CVE, including CVSS scores and remediation guidance, on our CVE Lookup tool.

What is the difference between a CWE and a CVE?+

A CWE (Common Weakness Enumeration) like CWE-787 describes a category of software weakness — the underlying flaw type. A CVE (Common Vulnerabilities and Exposures) identifies a specific, real-world vulnerability in a particular product. In short, a CWE is the kind of mistake, and a CVE is an instance of that mistake being found in software.

Learn More