Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
CWE-122 Variant Draft
Heap-based Buffer Overflow
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers…
Definition
What is CWE-122?
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers created with functions like malloc(), calloc(), or realloc().
This vulnerability happens when your code fails to properly validate the size of data being copied into a dynamically allocated buffer. When you write past the buffer's boundary, you overwrite critical heap management data—like metadata that tracks free and allocated blocks. This corruption can crash the program, lead to unpredictable behavior, or be exploited to execute arbitrary code by an attacker who carefully crafts the overflow data to control program execution.
Preventing heap overflows requires rigorous bounds checking, using safe functions (like strncpy instead of strcpy), and tools to detect memory mismanagement. While SAST tools can catch the dangerous pattern, Plexicus uses AI to analyze the context and suggest the precise code fix—such as inserting the correct size check—saving hours of manual review and helping you remediate these flaws across your entire application stack.
Real-world impact
Real-world CVEs caused by CWE-122
-
Chain: in a web browser, an unsigned 64-bit integer is forcibly cast to a 32-bit integer (CWE-681) and potentially leading to an integer overflow (CWE-190). If an integer overflow occurs, this can cause heap memory corruption (CWE-122)
-
Chain: integer signedness error (CWE-195) passes signed comparison, leading to heap overflow (CWE-122)
-
Chain: product does not handle when an input string is not NULL terminated (CWE-170), leading to buffer over-read (CWE-125) or heap-based buffer overflow (CWE-122).
-
Chain: machine-learning product can have a heap-based buffer overflow (CWE-122) when some integer-oriented bounds are calculated by using ceiling() and floor() on floating point values (CWE-1339)
-
Chain: integer overflow (CWE-190) causes a negative signed value, which later bypasses a maximum-only check (CWE-839), leading to heap-based buffer overflow (CWE-122).
How attackers exploit it
Step-by-step attacker path
- 1
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:
- 2
The buffer is allocated heap memory with a fixed size, but there is no guarantee the string in argv[1] will not exceed this size and cause an overflow.
- 3
This example applies an encoding procedure to an input string and stores it into a buffer.
- 4
The programmer attempts to encode the ampersand character in the user-controlled string, however the length of the string is validated before the encoding procedure is applied. Furthermore, the programmer assumes encoding expansion will only expand a given character by a factor of 4, while the encoding of the ampersand expands by 5. As a result, when the encoding procedure expands the string it is possible to overflow the destination buffer if the attacker provides a string of many ampersands.
Vulnerable code example
Vulnerable C
While buffer overflow examples can be rather complex, it is possible to have very simple, yet still exploitable, heap-based buffer overflows:
#define BUFSIZE 256
int main(int argc, char **argv) {
char *buf;
buf = (char *)malloc(sizeof(char)*BUFSIZE);
strcpy(buf, argv[1]);
} Secure code example
Secure pseudo
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
const safe = validateAndEscape(input);
return executeWithGuards(safe);
} What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist
How to prevent CWE-122
- Pre-design: Use a language or compiler that performs automatic bounds checking.
- Architecture and Design Use an abstraction library to abstract away risky APIs. Not a complete solution.
- Operation / Build and Compilation Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking. D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] discusses canary-based detection in detail.
- Operation / Build and Compilation Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code. Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Imported modules may be similarly realigned if their default memory addresses conflict with other modules, in a process known as "rebasing" (for Windows) and "prelinking" (for Linux) [REF-1332] using randomly generated addresses. ASLR for libraries cannot be used in conjunction with prelink since it would require relocating the libraries at run-time, defeating the whole purpose of prelinking. For more information on these techniques see D3-SAOR (Segment Address Offset Randomization) from D3FEND [REF-1335].
- Implementation Implement and perform bounds checking on input.
- Implementation Do not use dangerous functions such as gets. Look for their safe equivalent, which checks for the boundary.
- Operation Use OS-level preventative functionality. This is not a complete solution, but it provides some defense in depth.
Detection signals
How to detect CWE-122
Plexicus auto-detects CWE-122 and opens a fix PR in under 60 seconds.
Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.
Frequently asked questions What is CWE-122?
How serious is CWE-122?
What languages or platforms are affected by CWE-122?
How can I prevent CWE-122?
How does Plexicus detect and fix CWE-122?
Where can I learn more about CWE-122?
Frequently asked questions
What is CWE-122?
A heap-based buffer overflow occurs when a program writes more data to a memory buffer allocated in the heap than it can hold, corrupting adjacent memory structures. This typically involves buffers created with functions like malloc(), calloc(), or realloc().
How serious is CWE-122?
MITRE rates the likelihood of exploit as High — this weakness is actively exploited in the wild and should be prioritized for remediation.
What languages or platforms are affected by CWE-122?
MITRE lists the following affected platforms: C, C++.
How can I prevent CWE-122?
Pre-design: Use a language or compiler that performs automatic bounds checking. Use an abstraction library to abstract away risky APIs. Not a complete solution.
How does Plexicus detect and fix CWE-122?
Plexicus's SAST engine matches the data-flow signature for CWE-122 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.
Where can I learn more about CWE-122?
MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/122.html. You can also reference OWASP and NIST documentation for adjacent guidance.
Related weaknesses
Weaknesses related to CWE-122
CWE-788 Parent
Access of Memory Location After End of Buffer
This vulnerability occurs when software attempts to read from or write to a memory buffer using an index or pointer that points past the…
CWE-121 Sibling
Stack-based Buffer Overflow
A stack-based buffer overflow occurs when a program writes more data to a buffer located on the call stack than it can hold, corrupting…
CWE-126 Sibling
Buffer Over-read
This vulnerability occurs when a program reads data from a memory buffer using an index or pointer that points beyond the buffer's…
Resources
Further reading
- MITRE — official CWE-122 https://cwe.mitre.org/data/definitions/122.html
- Writing Secure Code https://www.microsoftpressstore.com/store/writing-secure-code-9780735617223
- Address Space Layout Randomization in Windows Vista https://learn.microsoft.com/en-us/archive/blogs/michael_howard/address-space-layout-randomization-in-windows-vista
- PaX https://en.wikipedia.org/wiki/Executable_space_protection#PaX
Ready when you are
Don't Let Security
Weigh You Down.
Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.