Heap Overflow
A heap overflow occurs when a program writes data beyond the bounds of a buffer allocated in the heap memory region.
How It Works
A heap overflow occurs when a program writes data beyond the bounds of a buffer allocated in the heap memory region. Unlike stack overflows that target the call stack, heap overflows corrupt dynamically allocated memory managed by functions like malloc() or new. When a program allocates heap memory without properly validating input size, an attacker can supply excessive data that spills into adjacent heap chunks, corrupting heap metadata structures or neighboring objects.
Exploitation typically targets heap management metadata (chunk headers containing size and status information) or data in adjacent allocations. Attackers can overwrite function pointers stored in heap objects, C++ vtable pointers, or critical data fields to redirect program execution. Modern heap implementations use inline metadata, making them vulnerable to carefully crafted overflows that manipulate allocation structures to achieve arbitrary write primitives.
The attack difficulty varies by heap implementation. Attackers must understand the specific allocator's layout (glibc malloc, Windows heap, etc.) and often need information leaks to defeat ASLR. Heap feng shui techniques arrange heap allocations in predictable patterns, placing attacker-controlled data adjacent to target objects to maximize exploitation reliability.
Impact
- Arbitrary code execution: Overwrite function pointers or vtables to redirect control flow to attacker-supplied shellcode
- Memory corruption: Corrupt critical data structures, causing crashes or logic manipulation to bypass security checks
- Privilege escalation: Modify authorization flags or user context stored in heap objects
- Information disclosure: Trigger controlled crashes that leak sensitive data through error messages or core dumps
- Heap spray payloads: Combined with other vulnerabilities, create reliable exploitation paths across multiple platforms
Real-World Examples
The WhatsApp video call vulnerability (CVE-2019-11931) exploited a heap overflow in video decoding, allowing remote code execution through a malicious video file without user interaction. Attackers could compromise devices by simply calling targets.
The OpenSSL Heartbleed bug (CVE-2014-0160), while primarily an information disclosure issue, demonstrated heap-related vulnerabilities by allowing attackers to read arbitrary heap memory. Similar heap overflow issues in TLS implementations have enabled complete server compromise.
The sudo heap overflow (CVE-2021-3156) allowed local privilege escalation on Unix systems by overflowing a heap buffer through carefully crafted command-line arguments, giving unprivileged users root access on affected systems.
Mitigation
- Memory-safe languages: Use Rust, Go, or managed languages that eliminate manual memory management vulnerabilities
- Hardened heap allocators: Deploy jemalloc, PartitionAlloc, or Scudo with guard pages and randomization features
- Address Space Layout Randomization (ASLR): Randomize heap base addresses to make exploitation non-deterministic
- Bounds checking: Validate all input sizes before heap operations and use safe string functions (
strncpy,snprintf) - Heap integrity checks: Enable heap consistency verification in production environments
- Compiler mitigations: Use AddressSanitizer during development and fortify source options at compile time
- Size limits: Enforce maximum allocation sizes and reject excessive input
Recent CVEs (1940)
UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer offer handler, which can potentially in result code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer request handler, which can potentially result in code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
UltraVNC revision 1211 has a heap buffer overflow vulnerability in VNC server code inside file transfer handler, which can potentially result code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A heap-based overflow vulnerability exists in the PowerPoint document conversion function of Rainbow PDF Office Server Document Converter V7.0 Pro R1 (7,0,2018,1113). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
UltraVNC revision 1203 has multiple heap buffer overflow vulnerabilities in VNC client code inside Ultra decoder, which results in code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
UltraVNC revision 1198 has a heap buffer overflow vulnerability in VNC client code which results code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Several heap-based buffer overflow vulnerabilities in WECON LeviStudioU version 1.8.56 and prior have been identified, which may allow arbitrary code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.
A heap corruption in WhatsApp can be caused by a malformed RTP packet being sent after a call is established. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability has been identified in SINUMERIK 828D V4.7 (All versions < V4.7 SP6 HF1), SINUMERIK 840D sl V4.7 (All versions < V4.7 SP6 HF5), SINUMERIK 840D sl V4.8 (All versions < V4.8 SP3). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An issue has been found in libIEC61850 v1.3. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Gluster file system through versions 4.1.4 and 3.12 is vulnerable to a heap-based buffer overflow in the '__server_getspec' function via the 'gf_getspec_req' RPC message. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Curl versions 7.33.0 through 7.61.1 are vulnerable to a buffer overrun in the SASL authentication code that may lead to denial of service. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Fuji Electric Alpha5 Smart Loader Versions 3.7 and prior. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Fuji Electric V-Server 4.0.3.0 and prior, A heap-based buffer overflow vulnerability has been identified, which may allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WECON LeviStudio Versions 1.8.29 and 1.8.44 have multiple heap-based buffer overflow vulnerabilities that can be exploited when the application processes specially crafted project files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Rockwell Automation RSLinx Classic Versions 4.00.01 and prior. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Multiple integer overflow and buffer overflow issues were discovered in spice-client's handling of LZ compressed frames. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
curl before version 7.61.1 is vulnerable to a buffer overrun in the NTLM authentication code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.5096. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An out-of-bounds heap buffer read flaw was found in the way advancecomp before 2.1-2018/02 handled processing of ZIP files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An exploitable heap overflow exists in the TIFF parsing functionality of Canvas Draw version 4.0.0. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Linux kernel is vulnerable to a heap-based buffer overflow in the fs/ext4/xattr.c:ext4_xattr_set_entry() function. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found affecting the Linux kernel before version 4.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable. Public exploit code available.
Delta Electronics Delta Industrial Automation DOPSoft version 4.00.04 and prior utilizes a fixed-length heap buffer where a value larger than the buffer can be read from a .dpa file into the buffer,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability has been identified in RFID 181EIP (All versions), RUGGEDCOM Win (V4.4, V4.5, V5.0, and V5.1), SCALANCE X-200 switch family (incl. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In Delta Electronics Automation TPEditor version 1.89 or prior, parsing a malformed program file may cause heap-based buffer overflow vulnerability, which may allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
procps-ng before version 3.3.15 is vulnerable to a denial of service in ps via mmap buffer overflow. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
procps-ng before version 3.3.15 is vulnerable to multiple integer overflows leading to a heap corruption in file2strvec function. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.1.1049. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader 9.0.0.29935. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Advantech WebAccess versions V8.2_20170817 and prior, WebAccess versions V8.3.0 and prior, WebAccess Dashboard versions V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
389-ds-base before versions 1.4.0.9, 1.3.8.1, 1.3.6.15 did not properly handle long search filters with characters needing escapes, possibly leading to buffer overflows. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
WPLSoft in Delta Electronics versions 2.45.0 and prior utilizes a fixed length heap buffer where a value larger than the buffer can be read from a file into the buffer, causing the buffer to be. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Heap-based buffer overflow vulnerabilities in Advantech WebAccess HMI Designer 2.1.7.32 and prior caused by processing specially crafted .pm3 files may allow remote code execution. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Parsing malformed project files in Omron CX-One versions 4.42 and prior, including the following applications: CX-FLnet versions 1.00 and prior, CX-Protocol versions 1.992 and prior, CX-Programmer. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In Omron CX-Supervisor Versions 3.30 and prior, parsing malformed project files may cause a heap-based buffer overflow. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
This vulnerability allows local attackers to escalate privileges on vulnerable installations of Joyent SmartOS release-20170803-20170803T064301Z. Rated high severity (CVSS 7.0). No vendor patch available.
A Heap-based Buffer Overflow issue was discovered in WECON LeviStudio HMI. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The retr.c:fd_read_body() function is called when processing OK responses. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A heap-based buffer overflow issue was discovered in Advantech WebAccess versions prior to V8.2_20170817. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Augeas versions up to and including 1.8.0 are vulnerable to heap-based buffer overflow due to improper handling of escaped strings. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Heap-Based Buffer Overflow issue was discovered in Wecon Technologies LEVI Studio HMI Editor before 1.8.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Multiple buffer overflows in the OPC Automation 2.0 Server Object ActiveX control in Schneider Electric OPC Factory Server (OFS) TLXCDSUOFS33 3.5 and earlier, TLXCDSTOFS33 3.5 and earlier,. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Heap-based buffer overflow in BKCLogSvr.exe in Yokogawa CENTUM CS 3000 R3.09.50 and earlier allows remote attackers to execute arbitrary code via crafted UDP packets. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
ImageMagick on Alpine Linux received a security fix in package version 7.1.2.24-r0. The specific vulnerability class, impact, and affected versions prior to the fix have not been disclosed in the available intelligence. Based solely on the Alpine Linux vendor advisory, this entry represents a patched security issue in ImageMagick, a widely-used image processing library - however, the nature of what an attacker could do, and under what conditions, cannot be characterized without additional CVE details.
Alpine Linux: opensc fixed in 0.26.0-r0
Heap-based buffer overflow in socat's SOCKS5 reply parser allows a malicious or compromised SOCKS5 proxy server to corrupt heap memory in clients that route connections through it, with potential for code execution. The flaw affects socat versions prior to 1.8.1.2 (packaged on Alpine Linux as 1.8.1.2-r0) and is triggered when socat acts as a SOCKS5 client and processes an attacker-crafted server reply. No public exploit identified at time of analysis; the CVSS 4.0 base score is 9.2, but the High attack complexity (AC:H) reflects that exploitation depends on a specific SOCKS5 usage path.