What it is

A heap buffer overflow is a software bug where a program writes more data into a chunk of memory than that chunk was sized to hold. The “heap” is the area where applications allocate memory while they run — for things like request headers, file contents, or temporary working data. When too much data goes in, it spills over and overwrites whatever was sitting next to it in memory.

Think of it like pouring eight litres of water into a five-litre bucket on a workbench. The extra water doesn’t disappear — it ruins whatever else is on the bench. In a server, that “whatever else” might be a pointer to the next instruction the program runs. Overwrite the right thing and the attacker chooses what runs next.

Why it matters this week

The term is in the news because of the NGINX Rift vulnerability (CVE-2026-42945) — a heap buffer overflow in NGINX’s rewrite module now being exploited in the wild. NGINX sits in front of a big chunk of Australian booking platforms, member portals, and e-commerce shops, so the blast radius is wide.

What this means for you

You don’t need the memory mechanics to act. Any software that handles untrusted input — web servers, image processors, PDF tools, video codecs — is a candidate for buffer overflows, and the fix is almost always a vendor patch. Two things keep you protected: patch promptly when these bugs land (they tend to carry “critical” CVSS scores for a reason), and confirm your servers have Address Space Layout Randomisation switched on — it’s a free safety net that turns most heap overflows into a crash instead of a full compromise. If you’re on one of our managed plans, both are already handled.