This weakness occurs when a program allocates memory based on a size value that comes from untrusted input without proper validation. An attacker can supply an…
This weakness occurs when a program allocates memory based on a size value that comes from untrusted input without proper validation. An attacker can supply an extremely large or maliciously crafted size value, causing the application to attempt allocating more memory than available, leading to denial of service, crashes, or in some cases, integer overflow vulnerabilities that enable further exploitation.
02How It Happens
The vulnerability arises when user-controlled input directly influences the amount of memory requested from the operating system. If the application does not validate that the requested size is reasonable—checking against available memory, system limits, or application-specific maximums—an attacker can trigger excessive allocation attempts. In languages like C and C++, integer overflow in size calculations (e.g., size * count) can also wrap around to a small value, causing a buffer to be allocated that is far smaller than the code expects, leading to buffer overflows. Even in managed languages, unbounded allocation requests can exhaust heap memory and crash the process.
03Real-World Impact
Successful exploitation typically results in denial of service: the application crashes or becomes unresponsive when it runs out of memory. In some cases, the system itself may become unstable if the allocation attempt consumes all available RAM. Integer overflow scenarios can be more severe, potentially allowing an attacker to bypass size checks and trigger heap corruption or code execution. Even without overflow, repeated large allocations can degrade performance across the entire system.
04Vulnerable & Fixed Patterns
Vulnerable pattern
import io
def process_file_upload(file_size_header):
# file_size_header comes from untrusted HTTP header
buffer_size = int(file_size_header)
data_buffer = bytearray(buffer_size)
return data_buffer
Why it's vulnerable: The function directly converts untrusted input to an allocation size with no upper bound check. An attacker can send a header claiming a file size of several gigabytes, exhausting available memory.
<?php
function allocate_buffer($user_count) {
// $user_count comes from $_GET or $_POST
$item_size = 1024;
$total_size = $user_count * $item_size;
$buffer = str_repeat("\x00", $total_size);
return $buffer;
}
?>
Why it's vulnerable: The multiplication $user_count * $item_size is not validated. An attacker can supply a very large $user_count, causing str_repeat() to attempt allocating gigabytes of memory, or triggering an integer overflow if the result exceeds PHP's limits.
Define and enforce a maximum allocation size appropriate to your application's use case (e.g., max file upload size, max array length).
Validate all size parameters before use: check that they are positive integers and do not exceed your limit.
Be aware of integer overflow in multiplication or addition of size values; use safe arithmetic or check for overflow before allocating.
Use language-level protections where available (e.g., PHP's memory_limit directive, Python's resource limits).
Log and alert on allocation requests that approach or exceed your limits, as they may indicate an attack.
Test your application with edge cases: zero, negative, and very large size values.
06Signs You May Already Be Affected
Monitor system logs and application error logs for out-of-memory (OOM) errors or crashes that correlate with specific user requests or input patterns. Unexpected spikes in memory usage following particular API calls or file uploads may indicate an attacker is probing for this vulnerability. If your application has recently experienced unexplained crashes or performance degradation tied to user input, investigate whether size validation is in place.