https://www.secdev.uk/blog/tags/out-of-bounds-write/ Recent content in Out-of-Bounds Write on guy@secdev.uk Hugo en-gb Guy Dixon | guy@secdev.uk Sat, 21 Jun 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-06-21-out-of-bounds-writes/ Sat, 21 Jun 2025 00:00:00 +0000 https://www.secdev.uk/blog/technology/2025-06-21-out-of-bounds-writes/ <p>Out-of-bounds writes (CWE-787) are the single most dangerous class of memory corruption vulnerabilities on the SANS/CWE Top 25, and they&rsquo;ve held that position for years. The reason is clear once you dig into the mechanics: writing past the end of a buffer can overwrite return addresses, function pointers, vtable entries, and adjacent heap metadata, giving attackers arbitrary code execution. Unlike higher-level languages where the runtime catches array index violations, C and C++ silently corrupt memory, and the consequences may not manifest until thousands of instructions later. Even Rust, with its ownership model, is vulnerable when <code>unsafe</code> blocks bypass the borrow checker. In this post I&rsquo;ll dissect out-of-bounds writes in C, C++, and Rust, from the classic <code>strcpy</code> overflow to the subtle off-by-one in pointer arithmetic that can survive expert review.</p>