Memory vulnerabilities — SY0-701
Master the memory vulnerabilities tested in CompTIA Security+ SY0-701 — buffer overflows, heap vs. stack, and what separates a crash from code execution.
WHAT IT IS
A memory vulnerability is a weakness in an information system arising from how software allocates, reads, or writes memory — a weakness that could be exploited or triggered by a threat source to compromise confidentiality, integrity, or availability (NIST SP 800-30 Rev. 1, definition of "vulnerability").
The defining example is the buffer overflow: a condition in which more input is placed into a buffer or data-holding area than the capacity allocated, overwriting other information (NIST SP 800-82r3). Attackers exploit that overwrite to crash a system or to inject and execute code they control (NIST SP 800-82r3, CNSSI 4009-2015).
Mental model
Think of a buffer as a fixed-size parking lot. Every car (byte of data) has an assigned space. A buffer overflow is what happens when the 21st car drives in despite there being only 20 spaces — it parks on top of the neighboring structure, damaging whatever was there. The "neighboring structure" is where the security impact lives: if the overwrite reaches a return address or a function pointer, an attacker can redirect execution rather than simply cause a crash.
Two regions of memory sit at the center of the exam's scope:
- Stack — stores local variables and return addresses for function calls; overflows here can overwrite return addresses directly.
- Heap — stores dynamically allocated objects at runtime; overflows here corrupt adjacent heap metadata or object data.
The attack method (overloading a predefined amount of memory storage in a buffer, overwriting and corrupting memory beyond the buffer's boundaries — NIST SP 800-101 Rev. 1) applies to both regions; what differs is what gets overwritten and how hard that overwrite is to exploit reliably.
When to use it
The exam distinguishes memory vulnerability types and their primary security consequence. Use this table to sort the scenario in front of you:
| Vulnerability type | What is overwritten | Primary consequence |
|---|---|---|
| Stack-based buffer overflow | Return address / saved registers | Attacker controls execution flow |
| Heap-based buffer overflow | Adjacent object data or metadata | Attacker corrupts program state |
| Integer overflow | Arithmetic result used as buffer size | Leads to under-allocated buffer, enabling subsequent overflow |
| Null pointer dereference | No write occurs; a null is dereferenced | Crash / denial of service |
Note: integer overflow is included because NIST defines "buffer overflow attack" partly as a method that can overwrite and corrupt memory in data (NIST SP 800-72); an integer overflow that determines a buffer's size can produce an undersized allocation and trigger the same class of memory overwrite.
COMMON MISCONCEPTION
The trap: assuming a buffer overflow always means code execution.
Buffer overflows do not automatically result in arbitrary code execution. The overflow first produces memory corruption — it overwrites adjacent memory contents. Whether that corruption reaches a code-execution primitive (a return address, a function pointer, a vtable entry) depends on what occupies the adjacent memory and on what mitigations are in place.
Overwriting a return address on the stack can redirect execution. Overwriting inert heap data may only cause a crash — a denial-of-service impact, not a confidentiality or integrity breach. The exam tests whether candidates understand that impact depends on what is overwritten, not simply on the fact that an overflow occurred.
A related misconception is conflating the overflow condition with the attack itself. NIST separates these: the overflow condition is a capacity problem at an interface (NIST SP 800-82r3); the buffer overflow attack is the deliberate method of exploiting that condition (NIST SP 800-101 Rev. 1; NIST SP 800-72). Controls like bounds checking address the condition; controls like address-space randomization and non-executable memory regions address the exploitability of the condition.
How it shows up on the exam
The cognitive target is analysis: given a scenario description, identify which type of memory vulnerability is present and match it to its consequence.
Signal phrases to recognize:
- "More input than the buffer can hold" → buffer overflow condition (NIST SP 800-82r3).
- "Overwrites adjacent memory" → memory corruption as a mechanism; follow the thread to what was overwritten to determine impact.
- "Application crashes when receiving a large input" → may be overflow producing denial of service rather than code execution — candidates who always select "code execution" will be caught by scenarios where impact is limited to availability.
- "Arithmetic result used to allocate memory" → integer overflow leading to an undersized buffer.
Candidates often conflate where the overflow occurs (stack vs. heap) with what the attacker achieves. Scenario questions frequently hinge on that distinction.
Related concepts
Memory vulnerabilities frequently appear alongside or are confused with:
- Race conditions — another class of implementation weakness, but temporal rather than spatial; involves timing windows rather than memory bounds.
- SQL Injection — an injection vulnerability exploiting insufficient input validation, but in a query interpreter rather than a memory buffer.
- Cross-Site Scripting — a client-side injection vulnerability; shares the "unsanitized input" root cause but operates in the browser's document context rather than process memory.
Sources
Every claim on this page traces to the public exam blueprint and official documentation: