Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
CWE-122 Variant Draft
Heap-based Buffer Overflow
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers…
Definition
What is CWE-122?
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers created with functions like malloc(), calloc(), or realloc().
This vulnerability happens when your code fails to properly validate the size of data being copied into a dynamically allocated buffer. When you write past the buffer's boundary, you overwrite critical heap management data—like metadata that tracks free and allocated blocks. This corruption can crash the program, lead to unpredictable behavior, or be exploited to execute arbitrary code by an attacker who carefully crafts the overflow data to control program execution.
Preventing heap overflows requires rigorous bounds checking, using safe functions (like strncpy instead of strcpy), and tools to detect memory mismanagement. While SAST tools can catch the dangerous pattern, Plexicus uses AI to analyze the context and suggest the precise code fix—such as inserting the correct size check—saving hours of manual review and helping you remediate these flaws across your entire application stack.
Auswirkungen in der Praxis
Real-world CVEs caused by CWE-122
-
Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
-
Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
-
Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).
-
Chain: machine-learning product can have a heap-based buffer overflow (CWE-122) when some integer-oriented bounds are calculated by using ceiling() and floor() on floating point values (CWE-1339)
-
Chain: integer overflow (CWE-190) causes a negative signed value, which later bypasses a maximum-only check (CWE-839), leading to heap-based buffer overflow (CWE-122).
Wie Angreifer es ausnutzen
Angreiferpfad Schritt für Schritt
- 1
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:
- 2
The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.
- 3
This example applies an encoding procedure to an input string and stores it into a buffer.
- 4
The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.
Verwundbares Codebeispiel
Vulnerable C
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:
#define BUFSIZE 256
int main(int argc, char **argv) {
char *buf;
buf = (char *)malloc(sizeof(char)*BUFSIZE);
strcpy(buf, argv[1]);
} Sicheres Codebeispiel
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Präventions-Checkliste
How to prevent CWE-122
- Pre-design: Use a language or compiler that performs automatic bounds checking.
- Architecture and Design Use an abstraction library to abstract away risky APIs. Not a complete solution.
- Operation / Build and Compilation Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
- Operation / Build and Compilation Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
- Implementation Implement and perform bounds checking on input.
- Implementation Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
- Operation Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
Erkennungssignale
How to detect CWE-122
Plexicus erkennt CWE-122 automatisch und öffnet in unter 60 Sekunden einen Fix-PR.
Codex Remedium scannt jeden Commit, identifiziert genau diese Schwachstelle und liefert einen reviewer-ready Pull Request mit dem Patch. Keine Tickets. Keine Hand-offs.
Häufig gestellte Fragen Was ist CWE-122?
Wie gravierend ist CWE-122?
Welche Sprachen oder Plattformen sind von CWE-122 betroffen?
Wie kann ich CWE-122 verhindern?
Wie erkennt und behebt Plexicus CWE-122?
Wo erfahre ich mehr über CWE-122?
Frequently asked questions
Was ist CWE-122?
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers created with functions like malloc(), calloc(), or realloc().
Wie gravierend ist CWE-122?
MITRE stuft die Exploit-Wahrscheinlichkeit als hoch ein — diese Schwachstelle wird aktiv in freier Wildbahn ausgenutzt und sollte priorisiert behoben werden.
Welche Sprachen oder Plattformen sind von CWE-122 betroffen?
MITRE lists the following affected platforms: C, C++.
Wie kann ich CWE-122 verhindern?
Pre-design: Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution.
Wie erkennt und behebt Plexicus CWE-122?
Die SAST-Engine von Plexicus erkennt die Datenfluss-Signatur von CWE-122 bei jedem Commit. Bei einem Treffer öffnet unser Codex-Remedium-Agent einen Fix-PR mit korrigiertem Code, Tests und einer einzeiligen Zusammenfassung für den Reviewer.
Wo erfahre ich mehr über CWE-122?
MITRE veröffentlicht die kanonische Definition unter https://cwe.mitre.org/data/definitions/122.html. Für ergänzende Hinweise kannst du auch die OWASP- und NIST-Dokumentation heranziehen.
Verwandte Schwachstellen
Weaknesses related to CWE-122
CWE-788 Parent
Access of Memory Location After End of Buffer
This vulnerability occurs when software attempts to read from or write to a memory buffer using an index or pointer that points past the…
CWE-121 Sibling
Stack-based Buffer Overflow
A stack-based buffer overflow occurs when a program writes more data to a buffer located on the call stack than it can hold, corrupting…
CWE-126 Sibling
Buffer Over-read
This vulnerability occurs when a program reads data from a memory buffer using an index or pointer that points beyond the buffer's…
Ressourcen
Further reading
- MITRE — offizielle CWE-122 https://cwe.mitre.org/data/definitions/122.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Address Space Layout Randomization in Windows Vista https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista
- PaX https://en.wikipedia.org/wiki/Executable_space_protection#PaX
Bereit, wenn du es bist
Schluss mit dem Bezahlen pro Entwickler.
Schließ den Kreislauf.
Plexicus ist die KI-native ASPM, die scannt, filtert, fixt, pentestet und erklärt — autonom. Unbegrenzte Entwickler, unbegrenzte Repos, Fair-Use-KI-Aktionen. Echter kostenloser Tarif, €269/mo jährlich, wenn du bereit bist.