Key Takeaways

  • Use-After-Free (UAF): Accessing memory after it's freed.
  • Double-Free: Freeing the same memory twice corrupts allocator.
  • These bugs power most browser and kernel exploits.
  • Mitigations: ASLR, CFI, memory tagging (MTE).

Memory corruption vulnerabilities remain the most impactful bug class in systems programming. Browser exploits, kernel privilege escalation, and mobile jailbreaks all rely on these techniques.

Use-After-Free Explained

// VULNERABLE CODE
char *ptr = malloc(100);
strcpy(ptr, "secret data");
free(ptr);  // Memory freed

// ... later in code ...
// Attacker triggers allocation of same size
char *evil = malloc(100);  // Gets same memory region!
strcpy(evil, "EVIL");

// Original code still uses ptr (UAF!)
printf("%s", ptr);  // Prints "EVIL"!

Double-Free Attack

// Exploiting double-free
void *a = malloc(64);
void *b = malloc(64);
free(a);
free(b);
free(a);  // DOUBLE FREE!

// Allocator's free list corrupted:
// a -> b -> a -> b -> a...

// Next allocations return overlapping memory
void *c = malloc(64);  // Gets "a"
void *d = malloc(64);  // Gets "b"
void *e = malloc(64);  // Gets "a" again!

// c and e point to same memory!

Modern Mitigations

  • ASLR: Randomizes memory layout
  • Stack Canaries: Detect stack corruption
  • CFI: Control-Flow Integrity prevents ROP
  • MTE: ARM Memory Tagging Extension
  • Safe languages: Rust, Go prevent these bugs

Exploitation Flow

  1. Trigger the vulnerability (UAF/double-free)
  2. Reclaim freed memory with controlled data (heap spray)
  3. Overwrite function pointers or vtables
  4. Redirect execution to shellcode or ROP chain
  5. Bypass ASLR using info leak

Frequently Asked Questions

Why are browsers frequent targets?
Browsers combine complex C++ code, JavaScript JIT compilation, and DOM manipulation—creating many opportunities for memory corruption. Plus, they process untrusted internet content.

Learn more binary exploitation.
Buffer Overflow Guide