- What is CWE-122?
- A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
- What CVEs are caused by CWE-122?
- 2,270 recorded CVEs are attributed to CWE-122, including CVE-2024-38812, CVE-2025-21333, CVE-2023-27997. 17 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- How do you prevent CWE-122?
- Pre-design: Use a language or compiler that performs automatic bounds checking.
- How is CWE-122 detected?
- Fuzzing: Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.
- What are the consequences of CWE-122?
- Exploiting CWE-122 can lead to: DoS: Crash, Exit, or Restart, DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory), Execute Unauthorized Code or Commands, Bypass Protection Mechanism, Modify Memory.
- Is CWE-122 actively exploited?
- Yes. 17 CWE-122 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 2,270 recorded CVEs.