In a joint Secure by Design Alert, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about the persistent threat of buffer overflow vulnerabilities and their potential to compromise software and jeopardize national and economic security. The alert emphasizes the need for manufacturers to adopt secure by design principles and proven mitigation techniques to eliminate this class of flaw.
The agencies highlight the prevalence of buffer overflow vulnerabilities, a type of memory safety defect that “regularly lead to system compromise.” As the agency explain, “Buffer overflow vulnerabilities (CWE-119) arise when threat actors access or write information in the wrong part of a computer’s memory (i.e., outside the memory buffer).” These vulnerabilities can manifest as stack-based overflows (CWE-121) or heap-based overflows (CWE-122) and can have devastating consequences, including data corruption, sensitive data exposure, program crashes, and, most alarmingly, unauthorized code execution.
The alert underscores the severity of the threat, noting that “Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.” The alert provide a list of recent examples, including CVE-2025-21333, CVE-2025-0282, CVE-2024-49138, CVE-2024-38812, CVE-2023-6549, and CVE-2022-0185, demonstrating the ongoing nature of the problem.
Despite well-documented mitigations, CISA and the FBI express concern that “many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist.” They assert that the use of unsafe practices, “especially the use of memory-unsafe programming languages,” poses an “unacceptable risk to our national and economic security.”
The alert calls for immediate action from manufacturers, urging them to adopt the secure by design practices outlined in the document. These practices include using memory-safe languages, implementing proper input validation, and employing other proven techniques to prevent buffer overflows. CISA and the FBI also recommend that software customers “demand secure products from manufacturers” by requesting a Software Bill of Materials (SBOM) and a secure software development attestation. This empowers customers to verify that manufacturers are taking the necessary steps to address these critical vulnerabilities.
The agencies stress that while all memory safety vulnerabilities are a concern, buffer overflows are a particularly well-understood subset with readily available solutions. They emphasize that there is no excuse for these vulnerabilities to continue to exist in software. “For these reasons—as well as the damage exploitation of these defects can cause—CISA, FBI, and others designate buffer overflow vulnerabilities as unforgivable defects,” the alert states.
