CWE-787 Out-of-bounds Write
Coverage status: Background only, this CWE is in scope but has no rules in the SiteShadow rule registry. Taint and heuristic analyzers may flag related patterns; see the coverage report and known gaps for the authoritative list.
What this means
SiteShadow flagged code that may write outside the bounds of a buffer/array.
Why it matters
Out-of-bounds writes can corrupt memory and enable RCE.
- High severity: memory corruption is a common path to RCE in native code.
- Crashes and data corruption even when RCE isn't achievable.
Safer examples
1) Use bounds-checked containers and safe APIs
Prefer languages and libraries that prevent OOB writes.
2) Validate sizes and indices before writing
Enforce maximums and check arithmetic that computes offsets/lengths (see CWE-190).
3) Use sanitizers and fuzzing in CI
ASan/UBSan + fuzzing are extremely effective at catching these early.
How SiteShadow detects it (high level)
- Flags unsafe write patterns and missing bounds checks.
- Prioritizes cases where write offsets/lengths are derived from untrusted inputs.
References
- CWE-787: https://cwe.mitre.org/data/definitions/787.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.