The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have warned software developers that buffer overflow vulnerabilities are “unforgivable defects” that can be easily exploited by attackers, and have urged them to adopt secure-by-design practices to avoid creating such flaws.
Buffer overflow vulnerabilities occur when software writes more data to memory than allocated for it, causing unexpected behavior. These bugs can be used by attackers to hijack the program’s flow, crash it, or make it do malicious things.
The agencies highlighted six buffer overflow vulnerabilities in products from Microsoft and VMware that were exploited before manufacturers issued patches. They have recommended that developers switch to memory-safe coding languages such as Rust, Go, and Swift, and avoid using outdated and unsafe programming practices.
The government acknowledges that rewriting entire codebases in memory-safe languages will require significant effort, but recommends a phased transition plan. Manufacturers should also consider implementing technologies to limit memory safety vulnerabilities in their existing code bases, and use compiler flags with compile-time and runtime protections.
Software developers are urged to conduct aggressive adversarial product testing, including static analysis, fuzzing, and manual reviews, throughout the entire development lifecycle. Undertaking root-cause analysis of past vulnerabilities is also recommended to learn from past mistakes.
The US government is calling on developers to stop using C and C++ and instead adopt memory-safe languages. While this shift may require significant effort, it can help prevent these “unforgivable” buffer overflow flaws that pose unacceptable risk to national and economic security.
Source: https://www.theregister.com/2025/02/13/fbi_cisa_unforgivable_buffer_overflow