CWE-122: Heap-based Buffer Overflow
low-riskA heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Common Consequences
Detection Methods
Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].
Real-World Examples (10)
| CVE | CVSS | EPSS | KEV |
|---|---|---|---|
| CVE-2015-3113 | 9.8 | 92.4% | Y |
| CVE-2021-21017 | 8.8 | 90.6% | Y |
| CVE-2023-27997 | 9.8 | 89.1% | Y |
| CVE-2023-36824 | 7.4 | 88.5% | — |
| CVE-2024-38077 | 9.8 | 86.3% | — |
| CVE-2024-49138 | 7.8 | 85.8% | Y |
| CVE-2024-4323 | 9.8 | 84.6% | — |
| CVE-2024-26229 | 7.8 | 83.2% | — |
| CVE-2025-21333 | 7.8 | 81.3% | Y |
| CVE-2024-38812 | 9.8 | 77.9% | Y |