Category

Cwe 121

Security vulnerabilities and automated fixes for cwe 121 issues

31 posts found

critical8 min

How buffer overflow in rcdevice.c request parser happens in C and how to fix it

A critical buffer overflow vulnerability was discovered in `src/main/io/rcdevice.c` at line 489, where the RC device request parser wrote incoming data into a fixed-size buffer without validating against the hard-coded maximum capacity `RCDEVICE_PROTOCOL_MAX_DATA_SIZE`. An attacker controlling the device's I/O data stream could overflow the buffer by sending a payload longer than `expectedDataLength`, potentially achieving arbitrary code execution. The fix adds a second bounds check against the

#buffer-overflow#c#embedded+4 more
O
orbisai0security
Jul 6, 2026
critical8 min

How buffer overflow happens in C TinyGSM sprintf and how to fix it

A critical buffer overflow vulnerability was discovered in `TinyGsmClientSequansMonarch.h` at line 515, where `sprintf` was writing a two-character hex string into a buffer only two bytes large — leaving no room for the null terminator. The fix replaces `sprintf` with `snprintf` and increases the buffer to three bytes, preventing a one-byte overflow that could corrupt adjacent memory in embedded firmware.

#buffer-overflow#c-cpp#embedded-security+5 more
O
orbisai0security
Jul 5, 2026
critical7 min

How buffer overflow happens in C dlldbg.c sprintf() and how to fix it

A classic buffer overflow vulnerability was discovered in `bld/pbide/dlldbg/dlldbg.c` at line 80, where an unbounded `sprintf()` call wrote a user-influenced `dllName` string into a fixed-size `fmtBuffer` without any length checking. An attacker supplying a maliciously crafted DLL name could overflow the buffer, overwrite adjacent memory, and potentially achieve arbitrary code execution. The fix replaces `sprintf()` with `snprintf()`, passing `sizeof(fmtBuffer)` as an explicit bound to ensure th

#buffer-overflow#c#sprintf+4 more
O
orbisai0security
Jun 29, 2026
critical9 min

How kernel stack buffer overflow happens in C vsprintf() and how to fix it

A critical stack buffer overflow vulnerability was discovered in `sys/kern/debug.c` where the kernel's `printf()` function called a custom `vsprintf()` implementation without any length constraint on the output buffer `db_msg`. By replacing the unbounded `vsprintf()` call with a size-aware `vsnprintf()` implementation, the fix prevents crafted format strings or oversized arguments from overwriting kernel stack memory, closing a path to arbitrary kernel code execution.

#buffer-overflow#kernel-security#c-programming+4 more
O
orbisai0security
Jun 18, 2026
critical8 min

How buffer overflow in URL parsing happens in C++ HTTP client and how to fix it

A critical buffer overflow vulnerability in the HTTP client's URL parsing function allowed attackers to overflow a stack-allocated host buffer through specially crafted URLs with excessively long hostnames. The vulnerability enabled arbitrary code execution by overwriting the return address. The fix adds proper bounds validation before the memcpy() operation to ensure the hostname length never exceeds the destination buffer size.

#buffer-overflow#cpp#security+4 more
O
orbisai0security
Jun 15, 2026
critical9 min

How buffer overflow happens in C patches.c sprintf macros and how to fix it

A critical buffer overflow vulnerability was discovered in `src/patches.c` where the `_EPRINT_I`, `_EPRINT_F`, and `_EPRINT_COEF` macros used `sprintf()` to write formatted AMY event data into a fixed-size buffer without any bounds checking. By replacing every `sprintf()` call with `snprintf()` and tracking remaining buffer space using a `s_entry` base pointer, the fix ensures that formatting 22 event fields — even at maximum values — can never write beyond the buffer boundary.

#buffer-overflow#c#sprintf+4 more
O
orbisai0security
Jun 6, 2026
critical10 min

Critical Buffer Overflow in NCO Filter String Construction: How strcat() Without Bounds Checking Can Corrupt Memory

A critical buffer overflow vulnerability was discovered and patched in the NetCDF Operators (NCO) library, specifically in the filter string construction loop within `nco_flt.c`. The flaw stemmed from repeated use of `strcat()` and `sprintf()` without any bounds checking, allowing an attacker to supply crafted filter specifications that overflow a fixed-size buffer and corrupt adjacent memory. The fix replaces these unsafe calls with bounds-aware `snprintf()` invocations that track the current w

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
May 28, 2026
high7 min

Buffer Overflow in RS-232 Serial Input: How a Missing Length Check Put Embedded Systems at Risk

A critical buffer overflow vulnerability was discovered in `serial.c`, where the `rs232_buffered_input` function could write more bytes than the destination buffer `rs232_ibuff` could hold — with no size limit to stop it. An attacker with access to the RS-232 serial port could exploit this to overwrite adjacent OS memory, including return addresses and critical data structures. The fix adds a simple but essential bounds check that clamps the returned byte count to the actual buffer size.

#buffer-overflow#embedded-security#c-programming+4 more
O
orbisai0security
May 28, 2026
critical7 min

Critical Buffer Overflow Fix: How Unbounded strcpy() Puts Your System at Risk

A critical buffer overflow vulnerability was discovered in a custom `strcpy()` implementation that performed unbounded memory copies without any destination buffer size validation. In kernel and OS contexts, this flaw could allow attackers to overwrite return addresses, corrupt heap metadata, or destabilize critical system data structures. The fix replaces the unsafe `strcpy()` with a bounds-checked `strlcpy()` that enforces a maximum copy length, eliminating the overflow risk entirely.

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
May 28, 2026
critical7 min

Stack Buffer Overflow in FTM File Parser: How strcpy() Almost Enabled Arbitrary Code Execution on ESP32

A critical stack buffer overflow vulnerability was discovered in `ftm_file.cpp`, where unchecked `strcpy()` calls allowed attacker-controlled filenames from crafted FTM files to overwrite stack memory, including the saved return address, enabling arbitrary code execution on ESP32 devices. The fix replaces both dangerous `strcpy()` calls with bounds-checked `strncpy()` plus explicit null-termination, eliminating the overflow vector entirely. This is a textbook reminder that unsafe C string functi

#buffer-overflow#c-cpp#embedded-security+4 more
O
orbisai0security
May 28, 2026
medium8 min

Buffer Overflow via Unsafe sprintf() in C Game Menu: How Shared Campaign Files Could Lead to Code Execution

A series of unbounded `sprintf()` calls in `src/mainmenu.c` created a realistic buffer overflow attack chain, allowing an attacker to craft a malicious campaign file that triggers arbitrary code execution when loaded by a victim. The fix replaces each unsafe `sprintf()` with `snprintf()`, enforcing strict buffer size limits and eliminating the overflow conditions. Because campaign files are routinely shared in game communities, this vulnerability required no special access and posed a significan

#buffer-overflow#c-security#sprintf+4 more
O
orbisai0security
May 28, 2026
critical9 min

Critical Buffer Overflow in gravier-str.h: How Broken Bit Shifts and Missing Bounds Checks Created a Memory Corruption Vulnerability

A critical buffer overflow vulnerability was discovered in `gravier/gravier-str.h`, where a subtle typo in the `next_power_of_2()` function combined with off-by-one allocation errors and unchecked `strcpy()` calls created a dangerous memory corruption pathway. Because this code was directly reachable from user-facing menu text input and the s7 scripting engine, an attacker could potentially exploit it to crash the application or execute arbitrary code. The fix corrects the broken bit-shift opera

#buffer-overflow#c-security#memory-safety+4 more
O
orbisai0security
May 28, 2026