Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-562 (返回栈上的变量地址) — Vulnerability Class 6

6 vulnerabilities classified as CWE-562 (返回栈上的变量地址). AI Chinese analysis included.

CWE-562 represents a critical memory safety weakness where a function inadvertently returns the address of a local stack variable. Since stack memory is ephemeral and automatically reclaimed upon function exit, the returned pointer becomes a dangling reference. Attackers typically exploit this by invoking subsequent functions that overwrite the stack frame, corrupting the data the pointer references or causing immediate application crashes due to invalid memory access. This vulnerability can lead to unpredictable program behavior, denial of service, or potentially code execution if the corrupted data influences control flow. Developers prevent this by ensuring functions return values by value rather than by reference, or by allocating memory on the heap using dynamic allocation functions like malloc. Additionally, using smart pointers or returning copies of data structures ensures that the returned information remains valid and independent of the caller’s stack frame, thereby eliminating the risk of accessing freed or overwritten memory.

MITRE CWE Description
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash. Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.
Common Consequences (1)
Availability, Integrity, ConfidentialityRead Memory, Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart
If the returned stack buffer address is dereferenced after the return, then an attacker may be able to modify or read memory, depending on how the address is used. If the address is used for reading, then the address itself may be exposed, or the contents that the address points to. If the address…
Mitigations (1)
ImplementationFix the code so that it does not return a stack address.
Examples (1)
The following function returns a stack address.
char* getName() { char name[STR_MAX]; fillInName(name); return name; }
Bad · C
CVE IDTitleCVSSSeverityPublished
CVE-2026-34553 iccDEV: DoS in CIccCLUT::Iterate() & CIccMBB::Describe() — iccDEV 4.0 Medium2026-03-31
CVE-2026-3591 A stack use-after-return flaw in SIG(0) handling code may enable ACL bypass — BIND 9 5.4 Medium2026-03-25
CVE-2024-33045 Return of Stack Variable Address in Buses — Snapdragon 8.4 High2024-09-02
CVE-2024-4418 Libvirt: stack use-after-free in virnetclientioeventloop() 6.2 Medium2024-05-08
CVE-2022-41837 OpenImageIO 缓冲区错误漏洞 — OpenImageIO 9.8 -2022-12-23
CVE-2021-21798 Nitro Software Nitro Pro 安全漏洞 — Nitro Pro 7.8 -2021-09-15

Vulnerabilities classified as CWE-562 (返回栈上的变量地址) represent 6 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.