Skip to main content

Heap Overflow

memory HIGH

A heap overflow occurs when a program writes data beyond the bounds of a buffer allocated in the heap memory region.

How It Works

A heap overflow occurs when a program writes data beyond the bounds of a buffer allocated in the heap memory region. Unlike stack overflows that target the call stack, heap overflows corrupt dynamically allocated memory managed by functions like malloc() or new. When a program allocates heap memory without properly validating input size, an attacker can supply excessive data that spills into adjacent heap chunks, corrupting heap metadata structures or neighboring objects.

Exploitation typically targets heap management metadata (chunk headers containing size and status information) or data in adjacent allocations. Attackers can overwrite function pointers stored in heap objects, C++ vtable pointers, or critical data fields to redirect program execution. Modern heap implementations use inline metadata, making them vulnerable to carefully crafted overflows that manipulate allocation structures to achieve arbitrary write primitives.

The attack difficulty varies by heap implementation. Attackers must understand the specific allocator's layout (glibc malloc, Windows heap, etc.) and often need information leaks to defeat ASLR. Heap feng shui techniques arrange heap allocations in predictable patterns, placing attacker-controlled data adjacent to target objects to maximize exploitation reliability.

Impact

  • Arbitrary code execution: Overwrite function pointers or vtables to redirect control flow to attacker-supplied shellcode
  • Memory corruption: Corrupt critical data structures, causing crashes or logic manipulation to bypass security checks
  • Privilege escalation: Modify authorization flags or user context stored in heap objects
  • Information disclosure: Trigger controlled crashes that leak sensitive data through error messages or core dumps
  • Heap spray payloads: Combined with other vulnerabilities, create reliable exploitation paths across multiple platforms

Real-World Examples

The WhatsApp video call vulnerability (CVE-2019-11931) exploited a heap overflow in video decoding, allowing remote code execution through a malicious video file without user interaction. Attackers could compromise devices by simply calling targets.

The OpenSSL Heartbleed bug (CVE-2014-0160), while primarily an information disclosure issue, demonstrated heap-related vulnerabilities by allowing attackers to read arbitrary heap memory. Similar heap overflow issues in TLS implementations have enabled complete server compromise.

The sudo heap overflow (CVE-2021-3156) allowed local privilege escalation on Unix systems by overflowing a heap buffer through carefully crafted command-line arguments, giving unprivileged users root access on affected systems.

Mitigation

  • Memory-safe languages: Use Rust, Go, or managed languages that eliminate manual memory management vulnerabilities
  • Hardened heap allocators: Deploy jemalloc, PartitionAlloc, or Scudo with guard pages and randomization features
  • Address Space Layout Randomization (ASLR): Randomize heap base addresses to make exploitation non-deterministic
  • Bounds checking: Validate all input sizes before heap operations and use safe string functions (strncpy, snprintf)
  • Heap integrity checks: Enable heap consistency verification in production environments
  • Compiler mitigations: Use AddressSanitizer during development and fortify source options at compile time
  • Size limits: Enforce maximum allocation sizes and reject excessive input

Recent CVEs (1940)

EPSS 8% CVSS 9.8
CRITICAL Act Now

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer handler, which can potentially in result code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE +4
NVD
EPSS 8% CVSS 9.8
CRITICAL Act Now

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer request handler, which can potentially result in code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE +4
NVD
EPSS 8% CVSS 9.8
CRITICAL Act Now

UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which can potentially result code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE +4
NVD
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

A heap-based overflow vulnerability exists in the PowerPoint document conversion function of Rainbow PDF Office Server Document Converter V7.0 Pro R1 (7,0,2018,1113). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Heap Overflow Microsoft +2
NVD
EPSS 5% CVSS 9.8
CRITICAL Act Now

UltraVNC revision 1203 has multiple heap buffer overflow vulnerabilities in VNC client code inside Ultra decoder, which results in code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE +4
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

UltraVNC revision 1198 has a heap buffer overflow vulnerability in VNC client code which results code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE +4
NVD
EPSS 2% CVSS 7.8
HIGH PATCH This Week

Several heap-based buffer overflow vulnerabilities in WECON LeviStudioU version 1.8.56 and prior have been identified, which may allow arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

Buffer Overflow Heap Overflow Trend Micro +2
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

A heap corruption in WhatsApp can be caused by a malformed RTP packet being sent after a call is established. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Microsoft Heap Overflow +4
NVD
EPSS 5% CVSS 8.1
HIGH This Week

A vulnerability has been identified in SINUMERIK 828D V4.7 (All versions < V4.7 SP6 HF1), SINUMERIK 840D sl V4.7 (All versions < V4.7 SP6 HF5), SINUMERIK 840D sl V4.8 (All versions < V4.8 SP3). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Heap Overflow Buffer Overflow Sinumerik 828D V4 7 Firmware +2
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

An issue has been found in libIEC61850 v1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Buffer Overflow Libiec61850
NVD GitHub
EPSS 3% CVSS 8.8
HIGH This Week

The Gluster file system through versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in the '__server_getspec' function via the 'gf_getspec_req' RPC message. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Heap Overflow Denial Of Service Buffer Overflow +4
NVD
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow Denial Of Service Buffer Overflow +3
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

Fuji Electric Alpha5 Smart Loader Versions 3.7 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Alpha5 Smart Loader Firmware
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

Fuji Electric V-Server 4.0.3.0 and prior, A heap-based buffer overflow vulnerability has been identified, which may allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow RCE Buffer Overflow +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

WECON LeviStudio Versions 1.8.29 and 1.8.44 have multiple heap-based buffer overflow vulnerabilities that can be exploited when the application processes specially crafted project files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Levistudiou
NVD
EPSS 4% CVSS 7.5
HIGH POC This Week

Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Rockwell Buffer Overflow +1
NVD
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Heap Overflow RCE Buffer Overflow +1
NVD
EPSS 11% CVSS 9.8
CRITICAL Act Now

curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Libcurl +3
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow RCE Buffer Overflow +2
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

An out-of-bounds heap buffer read flaw was found in the way advancecomp before 2.1-2018/02 handled processing of ZIP files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Buffer Overflow Advancecomp +2
NVD
EPSS 1% CVSS 7.8
HIGH POC This Week

An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Buffer Overflow Canvas Draw
NVD
EPSS 2% CVSS 7.8
HIGH POC This Week

An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow RCE Buffer Overflow +1
NVD
EPSS 1% CVSS 6.6
MEDIUM POC This Month

Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Linux Buffer Overflow +3
NVD
EPSS 7% CVSS 5.3
MEDIUM POC PATCH This Month

A flaw was found affecting the Linux kernel before version 4.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available.

Heap Overflow Linux Denial Of Service +8
NVD Exploit-DB
EPSS 4% CVSS 9.8
CRITICAL Act Now

Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length heap buffer where a value larger than the buffer can be read from a .dpa file into the buffer,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow RCE Buffer Overflow +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A vulnerability has been identified in RFID 181EIP (All versions), RUGGEDCOM Win (V4.4, V4.5, V5.0, and V5.1), SCALANCE X-200 switch family (incl. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Heap Overflow RCE Buffer Overflow +10
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

In Delta Electronics Automation TPEditor version 1.89 or prior, parsing a malformed program file may cause heap-based buffer overflow vulnerability, which may allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow RCE Buffer Overflow +1
NVD
EPSS 9% CVSS 7.5
HIGH POC PATCH This Week

procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Heap Overflow Denial Of Service Buffer Overflow +3
NVD Exploit-DB
EPSS 2% CVSS 7.8
HIGH POC This Week

procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Privilege Escalation RCE +10
NVD Exploit-DB
EPSS 3% CVSS 8.8
HIGH PATCH This Week

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow RCE Buffer Overflow +2
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow RCE Buffer Overflow +2
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow RCE Buffer Overflow +2
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow RCE Buffer Overflow +2
NVD
EPSS 6% CVSS 9.8
CRITICAL Act Now

In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow RCE Buffer Overflow +4
NVD
EPSS 4% CVSS 7.5
HIGH PATCH This Week

389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Heap Overflow Denial Of Service Buffer Overflow +5
NVD
EPSS 3% CVSS 8.8
HIGH This Week

WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Heap Overflow RCE Buffer Overflow +1
NVD
EPSS 2% CVSS 7.8
HIGH This Week

Heap-based buffer overflow vulnerabilities in Advantech WebAccess HMI Designer 2.1.7.32 and prior caused by processing specially crafted .pm3 files may allow remote code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Heap Overflow RCE Buffer Overflow +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Parsing malformed project files in Omron CX-One versions 4.42 and prior, including the following applications: CX-FLnet versions 1.00 and prior, CX-Protocol versions 1.992 and prior, CX-Programmer. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Cx Flnet +6
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed project files may cause a heap-based buffer overflow. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Heap Overflow Buffer Overflow Cx Supervisor
NVD
EPSS 1% CVSS 7.0
HIGH This Week

This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301Z. Rated high severity (CVSS 7.0). No vendor patch available.

Heap Overflow Buffer Overflow Smartos +2
NVD
EPSS 1% CVSS 8.6
HIGH This Week

A Heap-based Buffer Overflow issue was discovered in WECON LeviStudio HMI. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Heap Overflow +1
NVD
EPSS 9% CVSS 8.8
HIGH PATCH This Week

The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Heap Overflow Wget +1
NVD
EPSS 1% CVSS 8.8
HIGH This Week

A heap-based buffer overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Heap Overflow +1
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Heap Overflow +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

A Heap-Based Buffer Overflow issue was discovered in Wecon Technologies LEVI Studio HMI Editor before 1.8.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow Levi Studio Hmi Editor
NVD
EPSS 1% CVSS 5.0
MEDIUM This Month

Multiple buffer overflows in the OPC Automation 2.0 Server Object ActiveX control in Schneider Electric OPC Factory Server (OFS) TLXCDSUOFS33 3.5 and earlier, TLXCDSTOFS33 3.5 and earlier,. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Heap Overflow Denial Of Service Schneider Electric +6
NVD
EPSS 8% CVSS 9.3
CRITICAL POC Act Now

Heap-based buffer overflow in BKCLogSvr.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via crafted UDP packets. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Heap Overflow RCE Buffer Overflow +1
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

ImageMagick on Alpine Linux received a security fix in package version 7.1.2.24-r0. The specific vulnerability class, impact, and affected versions prior to the fix have not been disclosed in the available intelligence. Based solely on the Alpine Linux vendor advisory, this entry represents a patched security issue in ImageMagick, a widely-used image processing library - however, the nature of what an attacker could do, and under what conditions, cannot be characterized without additional CVE details.

Heap Overflow Buffer Overflow
NVD GitHub VulDB
EPSS 0% CVSS 2.9
LOW Monitor

Alpine Linux: opensc fixed in 0.26.0-r0

Buffer Overflow Heap Overflow Opensc +1
NVD
EPSS 0% CVSS 9.2
CRITICAL PATCH Act Now

Heap-based buffer overflow in socat's SOCKS5 reply parser allows a malicious or compromised SOCKS5 proxy server to corrupt heap memory in clients that route connections through it, with potential for code execution. The flaw affects socat versions prior to 1.8.1.2 (packaged on Alpine Linux as 1.8.1.2-r0) and is triggered when socat acts as a SOCKS5 client and processes an attacker-crafted server reply. No public exploit identified at time of analysis; the CVSS 4.0 base score is 9.2, but the High attack complexity (AC:H) reflects that exploitation depends on a specific SOCKS5 usage path.

Buffer Overflow Heap Overflow Socat
NVD VulDB
Prev Page 22 of 22

Quick Facts

Typical Severity
HIGH
Category
memory
Total CVEs
1940

Related CWEs

MITRE ATT&CK

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy