CWE WEAKNESSES  /  CWE-121

CWE-121

Stack-based Buffer Overflow

What it is

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Impact

Mitigations

• [Operation, Build and Compilation]Use automatic buffer overflow detection mechanisms that are offered by certain compilers or compiler extensions. Examples include: the Microsoft Visual Studio /GS flag, Fedora/Red Hat FORTIFY_SOURCE GCC flag, StackGuard, and ProPolice, which provide various mechanisms including canary-based detection and range/index checking.D3-SFCV (Stack Frame Canary Validation) from D3FEND [REF-1334] dis
• [Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.
• [Implementation] Implement and perform bounds checking on input.
• [Implementation] Do not use dangerous functions such as gets. Use safer, equivalent functions which check for boundary errors.
• [Operation, Build and Compilation]Run or compile the software using features or extensions that randomly arrange the positions of a program's executable and libraries in memory. Because this makes the addresses unpredictable, it can prevent an attacker from reliably jumping to exploitable code.Examples include Address Space Layout Randomization (ASLR) [REF-58] [REF-60] and Position-Independent Executables (PIE) [REF-64]. Im

Real-world CVE examples

• CVE-2021-35395 — Stack-based buffer overflows in SFK for wifi chipset used for IoT/embedded devices, as exploited in the wild per CISA KEV.

Related weaknesses

Source: MITRE CWE. View on cwe.mitre.org →