Feds want devs to stop coding 'unforgivable' buffer overflow vulnerabilities

US authorities have labelled buffer overflow vulnerabilities "unforgivable defects”, pointed to the presence of the holes in products from the likes of Microsoft and VMware, and urged all software developers to adopt secure-by-design practices to avoid creating more of them.

Buffer overflow vulnerabilities occur when software unexpectedly writes more data to memory storage than has been allocated for that data. The extra information spills into other memory, altering it. Smart attackers can feed carefully crafted data into software with these bugs to hijack the flow of the program so that it can be made to do malicious things, or simply crash it.

(You can learn how to exploit these sorts of holes, and then how not to make these bugs in the first place, by studying books and then playing through wargames.)

In a Wednesday advisory the FBI and Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) labelled such memory safety flaws “unforgivable” because they’re avoidable if developers stop using outdated and unsafe coding practices and languages.

The agencies highlighted a half-dozen buffer overflow vulnerabilities, some of which attackers exploited before manufacturers issued patches:

• CVE-2025-21333, a privilege-escalation flaw in Microsoft's Hyper-V NT Kernel Integration VSP component that could allow a local attacker in container-based environments to gain SYSTEM privileges.
• CVE-2025-0282, a critical stack-based buffer overflow bug leading to unauthenticated remote code execution (RCE) in Ivanti's Connect Secure that was exploited as a zero-day.
• CVE-2024-49138, another Microsoft bug, this one also exploited as a zero-day. It allows escalation of privilege attacks on the Windows Common Log File System Driver that can lead to full system access.
• CVE-2024-38812, a critical VMware vCenter heap-overflow vulnerability that leads to RCE and was exploited in attacks after Broadcom's first attempt to fix it didn't work.
• CVE-2023-6549, a memory buffer flaw in Citrix Netscaler ADC and Gateway products that allow out-of-bounds memory read and denial-of-service attacks.
• CVE-2022-0185, a heap-based buffer overflow flaw in the Linux kernel's legacy_parse_param() function could allow local users in a Linux user namespace to escalate privileges if unprivileged user namespaces are enabled. It was exploited by Chinese spies.

"CISA and FBI maintain that the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities — especially the use of memory-unsafe programming languages — poses unacceptable risk to our national and economic security," the two government agencies wrote in their joint security alert.

The Feds point out that developers can avoid creating such flaws using memory-safe coding languages such as Rust, Go, and Swift.

• Dump C++ and in Rust you should trust, Five Eyes agencies urge
• Boffins carve up C so code can be converted to Rust
• Rust haters, unite! Fil-C aims to Make C Great Again
• The US government wants developers to stop using C and C++

Both agencies understand that rewriting entire codebases in memory-safe languages will require "significant effort," and as such recommend manufacturers implement a phased transition plan. While making this shift, "manufacturers should also consider leveraging technologies to limit memory safety vulnerabilities in their existing code bases," CISA and the FBI note.

The Feds also fancy compiler flags that implement compile-time and runtime protections might help.

Running unit tests with an instrumented toolchain – one with AddressSanitizer and MemorySanitizer enabled, basically – is also mentioned as a helpful tactic. Both tools can perform runtime checks for memory safety issues.

The government also urged software developers to "conduct aggressive adversarial product testing, including static analysis, fuzzing, and manual reviews" throughout the entire development lifecycle.

Undertaking root-cause analysis of past vulnerabilities was also recommended, so developers can learn from past mistakes. ®