1. Home
  2. CWE Database
  3. CWE-562
Base · Medium

CWE-562: Return of Stack Variable Address

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

CWE-562 · Base Level ·1 CVEs ·1 Mitigations

Description

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.

Potential Impact

Availability, Integrity, Confidentiality

Read Memory, Modify Memory, Execute Unauthorized Code or Commands, DoS: Crash, Exit, or Restart

Demonstrative Examples

The following function returns a stack address.
Bad
char* getName() {char name[STR_MAX];fillInName(name);return name;}

Mitigations & Prevention

Implementation

Fix the code so that it does not return a stack address.

Detection Methods

  • Fuzzing High — Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption,
  • Automated Static Analysis High — Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then sea
  • Automated Dynamic Analysis Moderate — Use tools that are integrated during compilation to insert runtime error-checking mechanisms related to memory safety errors, such as AddressSanitizer (ASan) for C/C++ [REF-1518].

Real-World CVE Examples

CVE IDDescription
CVE-2024-33045product returns stack variable address, leading to memory corruption

CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

The product uses an API function, data structure, or other entity in a way that relies on properties that are not always...

CWE-672: Operation on a Resource after Expiration or Release

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revok...

CWE-825: Expired Pointer Dereference

The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid...

Taxonomy Mappings

  • CERT C Secure Coding: DCL30-C — Declare objects with appropriate storage durations
  • CERT C Secure Coding: POS34-C — Do not call putenv() with a pointer to an automatic variable as the argument
  • Software Fault Patterns: SFP1 — Glitch in computation

Frequently Asked Questions

What is CWE-562?

CWE-562 (Return of Stack Variable Address) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

How can CWE-562 be exploited?

Attackers can exploit CWE-562 (Return of Stack Variable Address) to read memory, modify memory, execute unauthorized code or commands, dos: crash, exit, or restart. This weakness is typically introduced during the Implementation phase of software development.

How do I prevent CWE-562?

Key mitigations include: Fix the code so that it does not return a stack address.

What is the severity of CWE-562?

CWE-562 is classified as a Base-level weakness (Medium abstraction). It has been observed in 1 real-world CVEs.