CISA, FBI call software with buffer overflow issues ‘unforgivable’

FBI and CISA have issued a joint advisory to warn software developers against building codes with Buffer Overflow vulnerabilities in them, calling them “unforgivable” mistakes.

Tagging the advisory as part of their ongoing “Secure by Design” efforts, the authorities said these vulnerabilities are prevalent in software, including vendors like Microsoft, VMware, and Ivanti, that lead to full system compromise.

“CISA and FBI maintain that the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities — especially the use of memory-unsafe programming languages — poses unacceptable risk to our national and economic security,” the authorities said.

Buffer overflow defect is a memory safety vulnerability that stems from a program reading or writing memory beyond allocated boundaries by failing to initialize memory properly.

Buffer Overflow bugs are unforgivable

“The CISA and FBI recognize that memory safety vulnerabilities encompass a wide range of issues — many of which require significant time and effort to properly resolve,” the advisory added. “While all types of memory safety vulnerabilities can be prevented by using memory safe languages during development, other mitigations may only address certain types of memory safety vulnerabilities.”

The advisory pointed out that buffer overflow flaws are well-understood vulnerabilities and are easily avoidable by using memory-safe languages. It also listed additional techniques to help fix these issues.

Despite “well-documented” fixes, buffer overflow vulnerabilities are quite prevalent, CISA pointed out. “For these reasons — as well as the damage exploitation of these defects can cause — CISA, FBI, and others[1] designate buffer overflow vulnerabilities as unforgivable defects.”

Manufacturers are asked to refer to the methods outlined in the alert PDF issued with the advisory to prevent and mitigate buffer overflow defects, and software users are advised to demand secure products from them that include such preventions.

Microsoft, VMWare, Ivanti flaws called out

The feds highlighted a list of buffer overflow bugs affecting leading vendors like Microsoft, Ivanti, VMWare, Citrix and RedHat, ranging from high to critical severity, and some already having in-the-wild exploits.

The list included two Microsoft flaws that could allow — local attackers in container-based environments to gain system privileges (CVE-2025-21333), and privilege escalation on the Windows Common Log File System Driver (CLFS) that could lead to full system access (CVE-2024-49138). The latter was picked up by threat actors for zero-day exploit and was assigned a CVSS rating of 7.8/10.

Most critical in the list is a VMWare vCentre flaw (CVE-2024-38812) that Broadcom had to plug for a second time in months after it admitted the first patch did not completely fix the issue. The flaw was a heap overflow issue in an implementation of the DCERPC (distributed computing environment/ remote procedure call) protocol of the vCenter server.

Another critical flaw (CVSS 9/10) listed in the advisory is the stack-overflow bug in Ivanti’s Connect Secure (CVE-2025-0282) that the IT software maker fixed in January after it was exploited in zero-day attacks. While historically dependent on vulnerable coding languages like C, and C++, all these vendors are gradually moving towards memory-safe languages like Rust, Go, Swift, and Python.