The US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have jointly alerted software manufacturers to address buffer overflow vulnerabilities in their products.
These vulnerabilities, which cybercriminals frequently exploit to gain unauthorised access to systems, occur when a program writes more data to a buffer than it can hold, and can lead to system crashes or allow attackers to execute malicious code.
“The software development community has twenty years of extensive knowledge and effective solutions for buffer overflows—however, many software manufacturers continue to expose customers to products with these vulnerabilities,” the alert says.
“The software development community has twenty years of extensive knowledge and effective solutions for buffer overflows—however, many software manufacturers continue to expose customers to products with these vulnerabilities,” the alert says. It describes buffer overflow vulnerabilities as a critical subset of memory safety flaws that cybercriminals frequently exploit to gain unauthorized access to systems.
What are buffer overflow vulnerabilities?
According to CISA and the FBI, buffer overflow vulnerabilities “arise when threat actors access or write information in the wrong part of a computer’s memory (i.e., outside the memory buffer).”
A buffer overflow occurs when a program writes more data to a memory buffer than it can hold, causing data to overflow into adjacent memory locations. This can lead to system crashes, data corruption, or, in more severe cases, allow attackers to execute malicious code.
According to CISA and the FBI, these vulnerabilities can be categorised into two main types:
- Stack-based buffer overflows (CWE-121): These occur when excess data is written to a memory stack, potentially allowing attackers to overwrite critical program variables and execute arbitrary code.
- Heap-based buffer overflows (CWE-122): These occur when data overflows into dynamically allocated memory, which can be harder to detect and exploit but still pose a significant security threat.
FBI, CISA on why vulnerabilities dangerous?
Threat actors often use buffer overflow vulnerabilities as an entry point to infiltrate systems and move laterally across networks. Exploiting these vulnerabilities can allow attackers to:
- Gain unauthorized access to sensitive data.
- Install and execute malicious software.
- Corrupt system memory, leading to application crashes or erratic behavior.
- Bypass security mechanisms such as authentication protocols.
CISA and the FBI say that the continued use of unsafe software development practices, particularly the reliance on memory-unsafe programming languages like C and C++, is a major factor in the persistence of these vulnerabilities. “Despite the existence of well-documented, effective mitigations for buffer overflow vulnerabilities, many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist,” the agencies warn.
Cybersecurity researchers have identified several buffer overflow vulnerabilities in widely used software. For instance, vulnerabilities like CVE-2025-21333 and CVE-2025-0282 were recently reported. Additionally, in early 2024, vulnerabilities in the Autel MaxiCharger electric vehicle (EV) charger (CVE-2024-23967, CVE-2024-23957) were exploited due to improper handling of encoded data, leading to potential remote code execution.
Recommendations for software developers
CISA and the FBI are urging software manufacturers to adopt secure by design principles and take proactive steps to eliminate buffer overflow vulnerabilities. The alert outlines several key recommendations:
- Use memory-safe languages:
- Where feasible, developers should transition to programming languages that inherently prevent buffer overflows, such as PERL, Swift, or Java.
- “We recommend manufacturers develop and implement a phased transition plan for increasing memory-safe language usage,” the alert advises.
- Enable compiler-based protections:
- Software teams should enable compiler flags that enforce buffer overflow protections and utilize stack canaries, which detect and prevent stack-based overflows.
- Regularly run tests:
- The use of AddressSanitizer and MemorySanitizer during development can help detect memory safety issues before they become vulnerabilities.
- Regular security audits, static analysis, and fuzz testing should be integrated into the software development lifecycle.
- Enhance transparency and accountability:
- Software vendors should publish a memory-safety roadmap outlining their strategy for mitigating vulnerabilities.
- “Conduct root cause analysis of past vulnerabilities, including buffer overflows, to spot trends and patterns. Where possible, take actions to eliminate entire classes of vulnerabilities across products, rather than the superficial causes,” the alert states.
CISO and the FBI say consumers should “demand that software is secure by design. Organisations looking to acquire software that is secure by design should refer to our Secure by Demand guidance and incorporate the following product security considerations into their procurement lifecycle:
Before procurement: Ask questions to understand how each software manufacturer ensures product security.
During procurement: Integrate the organisation’s product security requirements into contract language.
Following procurement: Continually assess product security and security outcomes.”
The Secure by Design initiative, spearheaded by CISA and other global cybersecurity agencies, seeks to foster a cultural shift in the technology industry. This initiative urges companies to prioritise security at the outset of the software development life cycle rather than relying on post-deployment patches. “Products that are secure by design reasonably protect against malicious cyber actors exploiting the most common and dangerous classes of product defect,” the alert says.
Large tech companies, including Google, Microsoft, Amazon Web Services (AWS), and Mozilla, have already begun transitioning to memory-safe languages in critical areas. Google’s Android team, for example, started using Rust in 2019, significantly reducing memory safety vulnerabilities in Android OS. Google in a blog post revealed that “the percentage of memory safety vulnerabilities in Android dropped from 76% to 24% over 6 years as development shifted to memory safe languages.”
Home
