logo

Heap-based Buffer Overflow

Draft Variant
Structure: Simple
Description

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Common Consequences 3
Scope: Availability

Impact: DoS: Crash, Exit, or RestartDoS: Resource Consumption (CPU)DoS: Resource Consumption (Memory)

Buffer overflows generally lead to crashes. Other attacks leading to lack of availability are possible, including putting the program into an infinite loop.

Scope: IntegrityConfidentialityAvailabilityAccess Control

Impact: Execute Unauthorized Code or CommandsBypass Protection MechanismModify Memory

Buffer overflows often can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy. Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker's code. Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory. For example, object methods in C++ are generally implemented using function pointers. Even in C programs, there is often a global offset table used by the underlying runtime.

Scope: IntegrityConfidentialityAvailabilityAccess ControlOther

Impact: Execute Unauthorized Code or CommandsBypass Protection MechanismOther

When the consequence is arbitrary code execution, this can often be used to subvert any other security service.
Detection Methods 1
FuzzingHigh
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Potential Mitigations 7
Pre-design: Use a language or compiler that performs automatic bounds checking.
Phase: Architecture and Design
Use an abstraction library to abstract away risky APIs. Not a complete solution.
Phase: OperationBuild and Compilation

Strategy: Environment Hardening

Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.

Effectiveness: Defense in Depth

Phase: OperationBuild and Compilation

Strategy: Environment Hardening

Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].

Effectiveness: Defense in Depth

Phase: Implementation
Implement and perform bounds checking on input.
Phase: Implementation

Strategy: Libraries or Frameworks

Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
Phase: Operation
Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
Demonstrative Examples 2
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:

Code Example:

Bad
C
c
The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.

ID : DX-19

This example applies an encoding procedure to an input string and stores it into a buffer.

Code Example:

Bad
C
c

/* encode to < / } else dst_buf[dst_index++] = user_supplied_string[i];} return dst_buf;}

The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.
Observed Examples 5
CVE-2021-43537Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (Incorrect Conversion between Numeric Types) and potentially leading to an integer overflow (Integer Overflow or Wraparound). If an integer overflow occurs, this can cause heap memory corruption (Heap-based Buffer Overflow)
CVE-2007-4268Chain: integer signedness error (Signed to Unsigned Conversion Error) passes signed comparison, leading to heap overflow (Heap-based Buffer Overflow)
CVE-2009-2523Chain: product does not handle when an input string is not NULL terminated (Improper Null Termination), leading to buffer over-read (Out-of-bounds Read) or heap-based buffer overflow (Heap-based Buffer Overflow).
CVE-2021-29529Chain: machine-learning product can have a heap-based buffer overflow (Heap-based Buffer Overflow) when some integer-oriented bounds are calculated by using ceiling() and floor() on floating point values (Insufficient Precision or Accuracy of a Real Number)
CVE-2010-1866Chain: integer overflow (Integer Overflow or Wraparound) causes a negative signed value, which later bypasses a maximum-only check (Numeric Range Comparison Without Minimum Check), leading to heap-based buffer overflow (Heap-based Buffer Overflow).
References 14
Writing Secure Code
Michael Howard and David LeBlanc
Microsoft Press
04-12-2002
https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
ID: REF-7
24 Deadly Sins of Software Security
Michael Howard, David LeBlanc, and John Viega
McGraw-Hill
2010
ID: REF-44
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
The Art of Software Security Assessment
Mark Dowd, John McDonald, and Justin Schuh
Addison Wesley
2006
ID: REF-62
Address Space Layout Randomization in Windows Vista
Michael Howard
https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista(2023-04-07)
ID: REF-58
PaX
https://en.wikipedia.org/wiki/Executable_space_protection#PaX(2023-04-07)
ID: REF-60
Position Independent Executables (PIE)
Grant Murphy
Red Hat
28-11-2012
https://www.redhat.com/en/blog/position-independent-executables-pie(2023-04-07)
ID: REF-64
The CLASP Application Security Process
Secure Software, Inc.
2005
https://cwe.mitre.org/documents/sources/TheCLASPApplicationSecurityProcess.pdf(2024-11-17)
ID: REF-18
Bypassing Browser Memory Protections: Setting back browser security by 10 years
Alexander Sotirov and Mark Dowd
2008
https://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf(2023-04-26)
ID: REF-1337
Prelink and address space randomization
John Richard Moser
05-07-2006
https://lwn.net/Articles/190139/(2023-04-26)
ID: REF-1332
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
Dmitry Evtyushkin, Dmitry Ponomarev, Nael Abu-Ghazaleh
2016
http://www.cs.ucr.edu/~nael/pubs/micro16.pdf(2023-04-26)
ID: REF-1333
Stack Frame Canary Validation (D3-SFCV)
D3FEND
2023
https://d3fend.mitre.org/technique/d3f:StackFrameCanaryValidation/(2023-04-26)
ID: REF-1334
Segment Address Offset Randomization (D3-SAOR)
D3FEND
2023
https://d3fend.mitre.org/technique/d3f:SegmentAddressOffsetRandomization/(2023-04-26)
ID: REF-1335
Secure by Design Alert: Eliminating Buffer Overflow Vulnerabilities
Cybersecurity and Infrastructure Security Agency
12-02-2025
https://www.cisa.gov/resources-tools/resources/secure-design-alert-eliminating-buffer-overflow-vulnerabilities(2025-07-18)
ID: REF-1477
Likelihood of Exploit

High

Applicable Platforms
Languages:
C : OftenC++ : Often
Modes of Introduction
Implementation
Related Attack Patterns
Functional Areas
  1. Memory Management
Affected Resources
  1. Memory
Related Weaknesses
ChildOf: Access of Memory Location After End of Buffer (CWE-788)
ChildOf: Out-of-bounds Write (CWE-787)
Taxonomy Mapping
  • CLASP
  • Software Fault Patterns
  • CERT C Secure Coding
  • ISA/IEC 62443
  • ISA/IEC 62443
  • ISA/IEC 62443
  • ISA/IEC 62443
  • ISA/IEC 62443
  • ISA/IEC 62443
Notes
RelationshipHeap-based buffer overflows are usually just as dangerous as stack-based buffer overflows.