Category

Buffer Overflow

Security vulnerabilities and automated fixes for buffer overflow issues

233 posts found

Buffer overflow vulnerabilities occur when a program writes data beyond the boundaries of allocated memory, allowing attackers to overwrite adjacent memory and potentially execute arbitrary code. These flaws are among the most dangerous in systems programming and have been responsible for countless critical exploits.

Related CWEs

CWE-120CWE-121CWE-122CWE-787CWE-125

Affected Languages

CC++Rust (unsafe)Assembly
critical7 min

How buffer overflow happens in C libficus.c sprintf() and how to fix it

A buffer overflow vulnerability was discovered in `runtime/ficus/impl/libficus.c` where `sprintf()` was used to write a formatted compiler version string into a fixed-size stack buffer without any bounds checking. The fix replaces both vulnerable `sprintf()` calls with `snprintf()`, passing `sizeof(cver)` as the maximum write length to ensure the buffer can never be overrun. This change eliminates the risk of stack memory corruption that could be triggered by an attacker with control over the bu

#buffer-overflow#c#sprintf+4 more
O
orbisai0security
Jul 11, 2026
critical5 min

How buffer overflow via strcpy() happens in C Kconfig parsing and how to fix it

A critical buffer overflow vulnerability was discovered in the Linux kernel's Kconfig build system where `strcpy()` copied user-controlled symbol values into a fixed-size buffer without bounds checking. This flaw in `scripts/kconfig/symbol.c` could allow attackers to overwrite adjacent memory when processing malicious Kconfig files. The fix replaces the unsafe `strcpy()` with `memcpy()` using explicit length calculations.

#security#buffer-overflow#c+4 more
O
orbisai0security
Jul 11, 2026
critical7 min

How buffer overflow in locale name processing happens in C and how to fix it

A critical buffer overflow vulnerability was discovered in `intl/localename.c` where the `gl_locale_name_canonicalize()` function used unsafe `strcpy()` operations to copy locale names into fixed-size buffers without bounds checking. An attacker controlling locale environment variables could overflow the destination buffer, leading to memory corruption and potential code execution. The fix replaced `strcpy()` with bounded `strncpy()` calls to prevent buffer overruns.

#buffer-overflow#c-security#strcpy+4 more
O
orbisai0security
Jul 11, 2026
critical7 min

How buffer overflow happens in C strcpy() and how to fix it

A critical buffer overflow vulnerability was discovered in `sbin/restore/tape.c` where the `setinput()` function used unsafe `strcpy()` to copy user-controlled input into a fixed-size buffer without bounds checking. The fix replaces `strcpy()` with `strlcpy()`, which enforces a maximum copy length and prevents the overflow. This vulnerability could have allowed attackers to corrupt memory and potentially execute arbitrary code through long command-line arguments.

#buffer-overflow#c-security#strcpy+4 more
O
orbisai0security
Jul 11, 2026
high8 min

How insecure string copy functions happen in C calculations.c and how to fix it

A high-severity buffer overflow vulnerability was discovered in `src/calculations.c` at line 37, where a two-step `strncpy` + manual null-termination pattern left the door open for subtle memory safety bugs when copying string data into the `entry->type` field. The fix replaces both lines with a single `snprintf` call that handles bounds and null-termination atomically, eliminating the risk entirely. This is a common C pitfall that affects production CLI tools and can be exploited when attacker-

#buffer-overflow#c-security#strncpy+4 more
O
orbisai0security
Jul 11, 2026
high6 min

How integer truncation heap overflow happens in C++ UEFI ACPI parsing and how to fix it

A high-severity integer truncation vulnerability was discovered in `Mobility.Uefi.Acpi.cpp` where heap allocation sizes were stored in a 16-bit integer (`MO_UINT16`), causing silent truncation when the computed size exceeded 65535 bytes. This led to undersized heap allocations followed by out-of-bounds writes, exploitable by an attacker who can influence ACPI SRAT table contents in virtualized environments. The fix promotes the size variable to `MO_UINTN` (platform-native width) to prevent trunc

#security#buffer-overflow#integer-overflow+4 more
O
orbisai0security
Jul 10, 2026
critical7 min

How integer overflow in buffer size calculation happens in C and how to fix it

A critical integer overflow vulnerability was discovered in the `nsh_setvar()` function in `nshlib/nsh_vars.c`, where the buffer size calculation `newsize = pstate->varsz + varlen` could wrap around, causing a heap buffer overflow. The fix adds overflow checking before the addition, preventing attackers with shell access from corrupting memory by setting variables with crafted names and values.

#integer-overflow#buffer-overflow#C+4 more
O
orbisai0security
Jul 10, 2026
high5 min

How buffer overflow via sprintf() happens in C networking code and how to fix it

A high-severity buffer overflow vulnerability was discovered in `profile.c` where `sprintf()` was used to format server addresses without any bounds checking. An attacker who could influence the `SERVER_BASE_PORT` value or trigger integer overflow in the port calculation could write beyond the `server_address` buffer. The fix replaces `sprintf()` with `snprintf()` using explicit buffer size limits at both call sites (lines 99 and 220).

#security#buffer-overflow#c+4 more
O
orbisai0security
Jul 9, 2026
critical8 min

How integer overflow happens in C reliable.c and how to fix it

A critical integer overflow vulnerability was discovered in `reliable.c` at line 1299, where the `packet_buffer_size` calculation used signed `int` arithmetic that could wrap to a negative or undersized value when large `fragment_size` values were involved. By casting each operand to `size_t` before multiplication, the fix eliminates the overflow risk entirely and ensures the allocated buffer is always large enough to hold the reassembled packet data.

#integer-overflow#c#cwe-190+4 more
O
orbisai0security
Jul 9, 2026
high9 min

How insecure string copy functions happen in C (cyw43.c) and how to fix it

Three unsafe string copy calls in `src/cyw43.c` — including a bare `strcpy()` and two `strncpy()` calls — created buffer overflow risks in a CYW43 Wi-Fi driver emulation layer. The fix replaces all three with `snprintf()`, which enforces buffer size limits and guarantees null-termination in a single, consistent operation. Left unaddressed, these vulnerabilities could allow an attacker controlling input like a TAP interface name or SSID to corrupt adjacent memory and potentially execute arbitrary

#buffer-overflow#c#memory-safety+4 more
O
orbisai0security
Jul 9, 2026
critical9 min

How buffer overflow happens in C display_controller.cpp and how to fix it

A critical buffer overflow vulnerability was discovered in `playground/GpsBasics/display_controller.cpp` where `sprintf` was used without bounds checking on fixed-size stack buffers. An attacker supplying malicious GPS data with extreme field values (such as a year value of `99999`) could produce a formatted string longer than the declared buffer, leading to stack corruption and potential code execution. The fix introduces proper buffer-length enforcement, ensuring formatted GPS strings can neve

#buffer-overflow#C#embedded-security+4 more
O
orbisai0security
Jul 9, 2026
critical9 min

How heap buffer overflow happens in C parallel_memcpy() and how to fix it

A critical heap buffer overflow was discovered in `csrc/cpu/comm/shm.cpp` where the `parallel_memcpy` function copies data without validating that the destination buffer is large enough to hold the incoming bytes. A malicious co-located process could manipulate shared memory state to supply a `chunk_size` exceeding the fixed 32MB `MAX_BUF_SIZE` buffer, triggering memory corruption. The fix adds bounds enforcement and switches pointer array initialization from `malloc` to `calloc` to eliminate un

#buffer-overflow#c-cpp#heap-corruption+4 more
O
orbisai0security
Jul 9, 2026