VYPR

CWE-562

Return of Stack Variable Address

BaseDraft

Description

A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.

Because local variables are allocated on the stack, when a program returns a pointer to a local variable, it is returning a stack address. A subsequent function call is likely to re-use this same stack address, thereby overwriting the value of the pointer, which no longer corresponds to the same variable since a function's stack frame is invalidated when it returns. At best this will cause the value of the pointer to change unexpectedly. In many cases it causes the program to crash the next time the pointer is dereferenced.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (4)

  • CVE-2024-4418MedMay 8, 2024
    risk 0.40cvss 6.2epss 0.00

    A race condition leading to a stack use-after-free flaw was found in libvirt. Due to a bad assumption in the virNetClientIOEventLoop() method, the `data` pointer to a stack-allocated virNetClientIOEventData structure ended up being used in the virNetClientIOEventFD callback…

  • CVE-2026-3591MedMar 25, 2026
    risk 0.35cvss 5.4epss 0.00

    A use-after-return vulnerability exists in the `named` server when handling DNS queries signed with SIG(0). Using a specially-crafted DNS request, an attacker may be able to cause an ACL to improperly (mis)match an IP address. In a default-allow ACL (denying only specific IP…

  • CVE-2026-26399MedApr 20, 2026
    risk 0.34cvss 5.3epss 0.00

    A stack-use-after-return issue exists in the Arduino_Core_STM32 library prior to version 1.7.0. The pwm_start() function allocates a TIM_HandleTypeDef structure on the stack and passes its address to HAL initialization routines, where it is stored in a global timer handle…

  • CVE-2026-34553MedMar 31, 2026
    risk 0.19cvss 4.0epss 0.00

    iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, there is a defect in LUT dump/iteration logic affecting CIccCLUT::Iterate() and output produced by CIccMBB::Describe() (via CLUT dumping). This issue has been…