Skip to content

What is an out-of-bounds write?

Last reviewed June 2, 2026

An out-of-bounds write (CWE-787) occurs when a program writes data outside the boundaries of the intended buffer, either past its end or before its start. This corrupts adjacent memory and can lead to crashes, data corruption, or arbitrary code execution. It is one of the most dangerous and common weakness types in memory-unsafe code.

What an out-of-bounds write is

An out-of-bounds write, tracked as CWE-787, happens when software uses an index or pointer that falls outside the valid range of a buffer and then writes to that location. The write lands on memory the buffer does not own, corrupting whatever data, pointers, or metadata happen to be there.

CWE-787 is a broad parent that includes the classic buffer overflow as one case; it also covers writes before the start of a buffer (buffer underwrite) and writes at an attacker-influenced offset. It consistently ranks at or near the top of the CWE Top 25 Most Dangerous Software Weaknesses.

How the attack works

Suppose code reads a length field from a file and uses it as the number of bytes to copy into a fixed array, without checking that the length fits. An attacker sets an oversized length, and the copy writes far past the array, overwriting adjacent heap or stack structures. If the corrupted bytes include a pointer or a function table entry, the attacker can steer the program's later behavior.

A subtler variant uses an attacker-controlled index, such as array[i] = value where i is taken from input without validation. A negative or oversized i writes to an arbitrary location, which can be more powerful than a simple linear overflow because the attacker chooses where the write lands.

Real-world impact

  • Memory corruption leading to crashes and denial of service.
  • Arbitrary code execution when control data like return addresses or function pointers is overwritten.
  • Privilege escalation in kernel or privileged-process contexts.
  • Reliable exploit primitives, since a controlled write-what-where is a powerful building block.

How to prevent it

  • Validate every index and length against the buffer's actual size before writing.
  • Use memory-safe languages or safe container types that enforce bounds at runtime.
  • Replace unbounded copy operations with size-aware equivalents.
  • Enable compiler hardening and OS mitigations (ASLR, DEP/NX, stack canaries, AddressSanitizer in testing).
  • Fuzz parsers and binary-format handlers, where length and offset bugs concentrate.

Keep exploring

Frequently asked questions

What is the difference between an out-of-bounds write and a buffer overflow?
A buffer overflow is a specific case of an out-of-bounds write where data spills past the end of a buffer. CWE-787 is broader and also covers writes before a buffer or at an arbitrary attacker-chosen offset.
Why is CWE-787 considered so dangerous?
Out-of-bounds writes corrupt memory the program relies on, and a controlled write can overwrite pointers or return addresses to achieve code execution. It regularly tops the CWE Top 25 list.
How do you prevent out-of-bounds writes?
Bounds-check all indexes and lengths, use memory-safe languages or safe containers, avoid unbounded copies, and enable compiler and OS memory-safety mitigations.
Which CWE covers out-of-bounds writes?
It is CWE-787, Out-of-bounds Write, the parent weakness for classic buffer overflows and related memory-write errors.